# Zero Trust # Devices ## List devices (deprecated) `client.ZeroTrust.Devices.List(ctx, query) (*SinglePage[Device], error)` **get** `/accounts/{account_id}/devices` List WARP devices. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled for the account. **Deprecated**: please use one of the following endpoints instead: - GET /accounts/{account_id}/devices/physical-devices - GET /accounts/{account_id}/devices/registrations ### Parameters - `query DeviceListParams` - `AccountID param.Field[string]` ### Returns - `type Device struct{…}` - `ID string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `Created Time` When the device was created. - `Deleted bool` True if the device was deleted. - `DeviceType DeviceDeviceType` - `const DeviceDeviceTypeWindows DeviceDeviceType = "windows"` - `const DeviceDeviceTypeMac DeviceDeviceType = "mac"` - `const DeviceDeviceTypeLinux DeviceDeviceType = "linux"` - `const DeviceDeviceTypeAndroid DeviceDeviceType = "android"` - `const DeviceDeviceTypeIos DeviceDeviceType = "ios"` - `const DeviceDeviceTypeChromeos DeviceDeviceType = "chromeos"` - `IP string` IPv4 or IPv6 address. - `Key string` The device's public key. - `LastSeen Time` When the device last connected to Cloudflare services. - `MacAddress string` The device mac address. - `Manufacturer string` The device manufacturer name. - `Model string` The device model name. - `Name string` The device name. - `OSDistroName string` The Linux distro name. - `OSDistroRevision string` The Linux distro revision. - `OSVersion string` The operating system version. - `OSVersionExtra string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `RevokedAt Time` When the device was revoked. - `SerialNumber string` The device serial number. - `Updated Time` When the device was updated. - `User DeviceUser` - `ID string` UUID. - `Email string` The contact email address of the user. - `Name string` The enrolled device user's name. - `Version string` The WARP client version. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.List(context.TODO(), zero_trust.DeviceListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created": "2017-06-14T00:00:00Z", "deleted": true, "device_type": "windows", "ip": "1.1.1.1", "key": "yek0SUYoOQ10vMGsIYAevozXUQpQtNFJFfFGqER/BGc=", "last_seen": "2017-06-14T00:00:00Z", "mac_address": "00-00-5E-00-53-00", "manufacturer": "My phone corp", "model": "MyPhone(pro-X)", "name": "My mobile device", "os_distro_name": "ubuntu", "os_distro_revision": "1.0.0", "os_version": "10.0.0", "os_version_extra": "(a) or 6889 or Ubuntu 24.04", "revoked_at": "2017-06-14T00:00:00Z", "serial_number": "EXAMPLEHMD6R", "updated": "2017-06-14T00:00:00Z", "user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "version": "1.0.0" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device (deprecated) `client.ZeroTrust.Devices.Get(ctx, deviceID, query) (*DeviceGetResponse, error)` **get** `/accounts/{account_id}/devices/{device_id}` Fetches a single WARP device. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled for the account. **Deprecated**: please use one of the following endpoints instead: - GET /accounts/{account_id}/devices/physical-devices/{device_id} - GET /accounts/{account_id}/devices/registrations/{registration_id} ### Parameters - `deviceID string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `query DeviceGetParams` - `AccountID param.Field[string]` ### Returns - `type DeviceGetResponse struct{…}` - `ID string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `Account DeviceGetResponseAccount` - `ID string` - `AccountType string` - `Name string` The name of the enrolled account. - `Created Time` When the device was created. - `Deleted bool` True if the device was deleted. - `DeviceType string` - `GatewayDeviceID string` - `IP string` IPv4 or IPv6 address. - `Key string` The device's public key. - `KeyType string` Type of the key. - `LastSeen Time` When the device last connected to Cloudflare services. - `MacAddress string` The device mac address. - `Model string` The device model name. - `Name string` The device name. - `OSVersion string` The operating system version. - `SerialNumber string` The device serial number. - `TunnelType string` Type of the tunnel connection used. - `Updated Time` When the device was updated. - `User DeviceGetResponseUser` - `ID string` UUID. - `Email string` The contact email address of the user. - `Name string` The enrolled device user's name. - `Version string` The WARP client version. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) device, err := client.ZeroTrust.Devices.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DeviceGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", device.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "account": { "id": "id", "account_type": "account_type", "name": "Company" }, "created": "2017-06-14T00:00:00Z", "deleted": true, "device_type": "windows", "gateway_device_id": "PD33E90AXfafe14643cbbbc-4a0ed4fc8415Q", "ip": "1.1.1.1", "key": "yek0SUYoOQ10vMGsIYAevozXUQpQtNFJFfFGqER/BGc=", "key_type": "curve25519", "last_seen": "2017-06-14T00:00:00Z", "mac_address": "00-00-5E-00-53-00", "model": "MyPhone(pro-X)", "name": "My mobile device", "os_version": "10.0.0", "serial_number": "EXAMPLEHMD6R", "tunnel_type": "masque", "updated": "2017-06-14T00:00:00Z", "user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "version": "1.0.0" }, "success": true } ``` ## Domain Types ### Device - `type Device struct{…}` - `ID string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `Created Time` When the device was created. - `Deleted bool` True if the device was deleted. - `DeviceType DeviceDeviceType` - `const DeviceDeviceTypeWindows DeviceDeviceType = "windows"` - `const DeviceDeviceTypeMac DeviceDeviceType = "mac"` - `const DeviceDeviceTypeLinux DeviceDeviceType = "linux"` - `const DeviceDeviceTypeAndroid DeviceDeviceType = "android"` - `const DeviceDeviceTypeIos DeviceDeviceType = "ios"` - `const DeviceDeviceTypeChromeos DeviceDeviceType = "chromeos"` - `IP string` IPv4 or IPv6 address. - `Key string` The device's public key. - `LastSeen Time` When the device last connected to Cloudflare services. - `MacAddress string` The device mac address. - `Manufacturer string` The device manufacturer name. - `Model string` The device model name. - `Name string` The device name. - `OSDistroName string` The Linux distro name. - `OSDistroRevision string` The Linux distro revision. - `OSVersion string` The operating system version. - `OSVersionExtra string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `RevokedAt Time` When the device was revoked. - `SerialNumber string` The device serial number. - `Updated Time` When the device was updated. - `User DeviceUser` - `ID string` UUID. - `Email string` The contact email address of the user. - `Name string` The enrolled device user's name. - `Version string` The WARP client version. # Devices ## List devices `client.ZeroTrust.Devices.Devices.List(ctx, params) (*CursorPagination[DeviceDeviceListResponse], error)` **get** `/accounts/{account_id}/devices/physical-devices` Lists WARP devices. ### Parameters - `params DeviceDeviceListParams` - `AccountID param.Field[string]` Path param - `ID param.Field[[]string]` Query param: Filter by a one or more device IDs. - `ActiveRegistrations param.Field[DeviceDeviceListParamsActiveRegistrations]` Query param: Include or exclude devices with active registrations. The default is "only" - return only devices with active registrations. - `const DeviceDeviceListParamsActiveRegistrationsInclude DeviceDeviceListParamsActiveRegistrations = "include"` - `const DeviceDeviceListParamsActiveRegistrationsOnly DeviceDeviceListParamsActiveRegistrations = "only"` - `const DeviceDeviceListParamsActiveRegistrationsExclude DeviceDeviceListParamsActiveRegistrations = "exclude"` - `Cursor param.Field[string]` Query param: Opaque token indicating the starting position when requesting the next set of records. A cursor value can be obtained from the result_info.cursor field in the response. - `Include param.Field[string]` Query param: Comma-separated list of additional information that should be included in the device response. Supported values are: "last_seen_registration.policy". - `LastSeenUser param.Field[DeviceDeviceListParamsLastSeenUser]` Query param - `Email string` Filter by the last seen user's email. - `PerPage param.Field[int64]` Query param: The maximum number of devices to return in a single response. - `Search param.Field[string]` Query param: Search by device details. - `SeenAfter param.Field[string]` Query param: Filter by the last_seen timestamp - returns only devices last seen after this timestamp. - `SeenBefore param.Field[string]` Query param: Filter by the last_seen timestamp - returns only devices last seen before this timestamp. - `SortBy param.Field[DeviceDeviceListParamsSortBy]` Query param: The device field to order results by. - `const DeviceDeviceListParamsSortByName DeviceDeviceListParamsSortBy = "name"` - `const DeviceDeviceListParamsSortByID DeviceDeviceListParamsSortBy = "id"` - `const DeviceDeviceListParamsSortByClientVersion DeviceDeviceListParamsSortBy = "client_version"` - `const DeviceDeviceListParamsSortByLastSeenUserEmail DeviceDeviceListParamsSortBy = "last_seen_user.email"` - `const DeviceDeviceListParamsSortByLastSeenAt DeviceDeviceListParamsSortBy = "last_seen_at"` - `const DeviceDeviceListParamsSortByActiveRegistrations DeviceDeviceListParamsSortBy = "active_registrations"` - `const DeviceDeviceListParamsSortByCreatedAt DeviceDeviceListParamsSortBy = "created_at"` - `SortOrder param.Field[DeviceDeviceListParamsSortOrder]` Query param: Sort direction. - `const DeviceDeviceListParamsSortOrderAsc DeviceDeviceListParamsSortOrder = "asc"` - `const DeviceDeviceListParamsSortOrderDesc DeviceDeviceListParamsSortOrder = "desc"` ### Returns - `type DeviceDeviceListResponse struct{…}` A WARP Device. - `ID string` The unique ID of the device. - `ActiveRegistrations int64` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `CreatedAt string` The RFC3339 timestamp when the device was created. - `LastSeenAt string` The RFC3339 timestamp when the device was last seen. - `Name string` The name of the device. - `UpdatedAt string` The RFC3339 timestamp when the device was last updated. - `ClientVersion string` Version of the WARP client. - `DeletedAt string` The RFC3339 timestamp when the device was deleted. - `DeviceType string` The device operating system. - `HardwareID string` A string that uniquely identifies the hardware or virtual machine (VM). - `LastSeenRegistration DeviceDeviceListResponseLastSeenRegistration` The last seen registration for the device. - `Policy DeviceDeviceListResponseLastSeenRegistrationPolicy` A summary of the device profile evaluated for the registration. - `ID string` The ID of the device settings profile. - `Default bool` Whether the device settings profile is the default profile for the account. - `Deleted bool` Whether the device settings profile was deleted. - `Name string` The name of the device settings profile. - `UpdatedAt string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `LastSeenUser DeviceDeviceListResponseLastSeenUser` The last user to use the WARP device. - `ID string` UUID. - `Email string` The contact email address of the user. - `Name string` The enrolled device user's name. - `MacAddress string` The device MAC address. - `Manufacturer string` The device manufacturer. - `Model string` The model name of the device. - `OSVersion string` The device operating system version number. - `OSVersionExtra string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `PublicIP string` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `SerialNumber string` The device serial number. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Devices.List(context.TODO(), zero_trust.DeviceDeviceListParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": [ { "id": "fc9ab6ab-3b94-4319-9941-459462b3d73e", "active_registrations": 1, "created_at": "2025-02-14T13:17:00Z", "last_seen_at": "2025-02-14T13:17:00Z", "name": "My Device", "updated_at": "2025-02-14T13:17:00Z", "client_version": "1.0.0", "deleted_at": "2025-02-14T13:17:00Z", "device_type": "linux", "hardware_id": "hardware_id", "last_seen_registration": { "policy": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "default": true, "deleted": true, "name": "name", "updated_at": "2025-02-14T13:17:00Z" } }, "last_seen_user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "mac_address": "f5:01:73:cf:12:23", "manufacturer": "ACME", "model": "Mark VII", "os_version": "os_version", "os_version_extra": "os_version_extra", "public_ip": "1.1.1.1", "serial_number": "ABS765ASD8A" } ], "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Get device `client.ZeroTrust.Devices.Devices.Get(ctx, deviceID, params) (*DeviceDeviceGetResponse, error)` **get** `/accounts/{account_id}/devices/physical-devices/{device_id}` Fetches a single WARP device. ### Parameters - `deviceID string` - `params DeviceDeviceGetParams` - `AccountID param.Field[string]` Path param - `Include param.Field[string]` Query param: Comma-separated list of additional information that should be included in the device response. Supported values are: "last_seen_registration.policy". ### Returns - `type DeviceDeviceGetResponse struct{…}` A WARP Device. - `ID string` The unique ID of the device. - `ActiveRegistrations int64` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `CreatedAt string` The RFC3339 timestamp when the device was created. - `LastSeenAt string` The RFC3339 timestamp when the device was last seen. - `Name string` The name of the device. - `UpdatedAt string` The RFC3339 timestamp when the device was last updated. - `ClientVersion string` Version of the WARP client. - `DeletedAt string` The RFC3339 timestamp when the device was deleted. - `DeviceType string` The device operating system. - `HardwareID string` A string that uniquely identifies the hardware or virtual machine (VM). - `LastSeenRegistration DeviceDeviceGetResponseLastSeenRegistration` The last seen registration for the device. - `Policy DeviceDeviceGetResponseLastSeenRegistrationPolicy` A summary of the device profile evaluated for the registration. - `ID string` The ID of the device settings profile. - `Default bool` Whether the device settings profile is the default profile for the account. - `Deleted bool` Whether the device settings profile was deleted. - `Name string` The name of the device settings profile. - `UpdatedAt string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `LastSeenUser DeviceDeviceGetResponseLastSeenUser` The last user to use the WARP device. - `ID string` UUID. - `Email string` The contact email address of the user. - `Name string` The enrolled device user's name. - `MacAddress string` The device MAC address. - `Manufacturer string` The device manufacturer. - `Model string` The model name of the device. - `OSVersion string` The device operating system version number. - `OSVersionExtra string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `PublicIP string` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `SerialNumber string` The device serial number. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) device, err := client.ZeroTrust.Devices.Devices.Get( context.TODO(), "device_id", zero_trust.DeviceDeviceGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", device.ID) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "fc9ab6ab-3b94-4319-9941-459462b3d73e", "active_registrations": 1, "created_at": "2025-02-14T13:17:00Z", "last_seen_at": "2025-02-14T13:17:00Z", "name": "My Device", "updated_at": "2025-02-14T13:17:00Z", "client_version": "1.0.0", "deleted_at": "2025-02-14T13:17:00Z", "device_type": "linux", "hardware_id": "hardware_id", "last_seen_registration": { "policy": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "default": true, "deleted": true, "name": "name", "updated_at": "2025-02-14T13:17:00Z" } }, "last_seen_user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "mac_address": "f5:01:73:cf:12:23", "manufacturer": "ACME", "model": "Mark VII", "os_version": "os_version", "os_version_extra": "os_version_extra", "public_ip": "1.1.1.1", "serial_number": "ABS765ASD8A" }, "success": true } ``` ## Delete device `client.ZeroTrust.Devices.Devices.Delete(ctx, deviceID, body) (*DeviceDeviceDeleteResponse, error)` **delete** `/accounts/{account_id}/devices/physical-devices/{device_id}` Deletes a WARP device. ### Parameters - `deviceID string` - `body DeviceDeviceDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DeviceDeviceDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) device, err := client.ZeroTrust.Devices.Devices.Delete( context.TODO(), "device_id", zero_trust.DeviceDeviceDeleteParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", device) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "success": true, "result": {} } ``` ## Revoke device registrations `client.ZeroTrust.Devices.Devices.Revoke(ctx, deviceID, body) (*DeviceDeviceRevokeResponse, error)` **post** `/accounts/{account_id}/devices/physical-devices/{device_id}/revoke` Revokes all WARP registrations associated with the specified device. ### Parameters - `deviceID string` - `body DeviceDeviceRevokeParams` - `AccountID param.Field[string]` ### Returns - `type DeviceDeviceRevokeResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Devices.Devices.Revoke( context.TODO(), "device_id", zero_trust.DeviceDeviceRevokeParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "success": true, "result": {} } ``` # Resilience # Global WARP Override ## Retrieve Global WARP override state `client.ZeroTrust.Devices.Resilience.GlobalWARPOverride.Get(ctx, query) (*DeviceResilienceGlobalWARPOverrideGetResponse, error)` **get** `/accounts/{account_id}/devices/resilience/disconnect` Fetch the Global WARP override state. ### Parameters - `query DeviceResilienceGlobalWARPOverrideGetParams` - `AccountID param.Field[string]` ### Returns - `type DeviceResilienceGlobalWARPOverrideGetResponse struct{…}` - `Disconnect bool` Disconnects all devices on the account using Global WARP override. - `Timestamp Time` When the Global WARP override state was updated. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) globalWARPOverride, err := client.ZeroTrust.Devices.Resilience.GlobalWARPOverride.Get(context.TODO(), zero_trust.DeviceResilienceGlobalWARPOverrideGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", globalWARPOverride.Disconnect) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disconnect": false, "timestamp": "1970-01-01T00:00:00.000Z" }, "success": true } ``` ## Set Global WARP override state `client.ZeroTrust.Devices.Resilience.GlobalWARPOverride.New(ctx, params) (*DeviceResilienceGlobalWARPOverrideNewResponse, error)` **post** `/accounts/{account_id}/devices/resilience/disconnect` Sets the Global WARP override state. ### Parameters - `params DeviceResilienceGlobalWARPOverrideNewParams` - `AccountID param.Field[string]` Path param - `Disconnect param.Field[bool]` Body param: Disconnects all devices on the account using Global WARP override. - `Justification param.Field[string]` Body param: Reasoning for setting the Global WARP override state. This will be surfaced in the audit log. ### Returns - `type DeviceResilienceGlobalWARPOverrideNewResponse struct{…}` - `Disconnect bool` Disconnects all devices on the account using Global WARP override. - `Timestamp Time` When the Global WARP override state was updated. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) globalWARPOverride, err := client.ZeroTrust.Devices.Resilience.GlobalWARPOverride.New(context.TODO(), zero_trust.DeviceResilienceGlobalWARPOverrideNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Disconnect: cloudflare.F(false), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", globalWARPOverride.Disconnect) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disconnect": false, "timestamp": "1970-01-01T00:00:00.000Z" }, "success": true } ``` # Registrations ## List registrations `client.ZeroTrust.Devices.Registrations.List(ctx, params) (*CursorPagination[DeviceRegistrationListResponse], error)` **get** `/accounts/{account_id}/devices/registrations` Lists WARP registrations. ### Parameters - `params DeviceRegistrationListParams` - `AccountID param.Field[string]` Path param - `ID param.Field[[]string]` Query param: Filter by registration ID. - `Cursor param.Field[string]` Query param: Opaque token indicating the starting position when requesting the next set of records. A cursor value can be obtained from the result_info.cursor field in the response. - `Device param.Field[DeviceRegistrationListParamsDevice]` Query param - `ID string` Filter by WARP device ID. - `Include param.Field[string]` Query param: Comma-separated list of additional information that should be included in the registration response. Supported values are: "policy". - `PerPage param.Field[int64]` Query param: The maximum number of devices to return in a single response. - `Search param.Field[string]` Query param: Filter by registration details. - `SeenAfter param.Field[string]` Query param: Filter by the last_seen timestamp - returns only registrations last seen after this timestamp. - `SeenBefore param.Field[string]` Query param: Filter by the last_seen timestamp - returns only registrations last seen before this timestamp. - `SortBy param.Field[DeviceRegistrationListParamsSortBy]` Query param: The registration field to order results by. - `const DeviceRegistrationListParamsSortByID DeviceRegistrationListParamsSortBy = "id"` - `const DeviceRegistrationListParamsSortByUserName DeviceRegistrationListParamsSortBy = "user.name"` - `const DeviceRegistrationListParamsSortByUserEmail DeviceRegistrationListParamsSortBy = "user.email"` - `const DeviceRegistrationListParamsSortByLastSeenAt DeviceRegistrationListParamsSortBy = "last_seen_at"` - `const DeviceRegistrationListParamsSortByCreatedAt DeviceRegistrationListParamsSortBy = "created_at"` - `SortOrder param.Field[DeviceRegistrationListParamsSortOrder]` Query param: Sort direction. - `const DeviceRegistrationListParamsSortOrderAsc DeviceRegistrationListParamsSortOrder = "asc"` - `const DeviceRegistrationListParamsSortOrderDesc DeviceRegistrationListParamsSortOrder = "desc"` - `Status param.Field[DeviceRegistrationListParamsStatus]` Query param: Filter by registration status. Defaults to 'active'. - `const DeviceRegistrationListParamsStatusActive DeviceRegistrationListParamsStatus = "active"` - `const DeviceRegistrationListParamsStatusAll DeviceRegistrationListParamsStatus = "all"` - `const DeviceRegistrationListParamsStatusRevoked DeviceRegistrationListParamsStatus = "revoked"` - `User param.Field[DeviceRegistrationListParamsUser]` Query param - `ID []string` Filter by user ID. ### Returns - `type DeviceRegistrationListResponse struct{…}` A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device. - `ID string` The ID of the registration. - `CreatedAt string` The RFC3339 timestamp when the registration was created. - `Device DeviceRegistrationListResponseDevice` Device details embedded inside of a registration. - `ID string` The ID of the device. - `Name string` The name of the device. - `ClientVersion string` Version of the WARP client. - `Key string` The public key used to connect to the Cloudflare network. - `LastSeenAt string` The RFC3339 timestamp when the registration was last seen. - `UpdatedAt string` The RFC3339 timestamp when the registration was last updated. - `DeletedAt string` The RFC3339 timestamp when the registration was deleted. - `KeyType string` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `Policy DeviceRegistrationListResponsePolicy` The device settings profile assigned to this registration. - `ID string` The ID of the device settings profile. - `Default bool` Whether the device settings profile is the default profile for the account. - `Deleted bool` Whether the device settings profile was deleted. - `Name string` The name of the device settings profile. - `UpdatedAt string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `RevokedAt string` The RFC3339 timestamp when the registration was revoked. - `TunnelType string` Type of the tunnel - wireguard or masque. - `User DeviceRegistrationListResponseUser` - `ID string` UUID. - `Email string` The contact email address of the user. - `Name string` The enrolled device user's name. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Registrations.List(context.TODO(), zero_trust.DeviceRegistrationListParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [], "messages": [], "result": [ { "created_at": "2025-02-14T13:17:00Z", "deleted_at": null, "device": { "client_version": "1.0.0", "id": "32aa0404-78f1-49a4-99e0-97f575081356", "name": "My Device" }, "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "key": "U+QTP50RsWfeLGHF4tlGDnmGeuwtsz46KCHr5OyhWq00Rsdfl45mgnQAuEJ6CO0YrkyTl9FUf5iB0bwYR3g4EEFEHhtu6jFaqfMrBMBSz6itv9HQXkaR9OieKQ==", "key_type": "secp256r1", "last_seen_at": "2025-02-14T13:17:00Z", "revoked_at": null, "tunnel_type": "masque", "updated_at": "2025-02-14T13:17:00Z", "user": { "email": "alice@example.org", "id": "30323c1f-318d-4ec9-92c7-5a8c4d25c4fc", "name": "Alice" } }, { "created_at": "2025-02-15T10:20:00Z", "deleted_at": null, "device": { "client_version": "1.0.1", "id": "43bb1515-8902-50b5-aa01-a88686192467", "name": "Bob's Laptop" }, "id": "22eedc7a-4a1d-5417-c5b3-f73a983c277b", "key": "V/RSP61StXgfmLHJG5umHEonHfvxtz57LDIs6PziXr11Stegm56nhrRBvFK7DP1ZsLzUm0GVg6jC1cxZS4h5FFGFJiju7kGbrgNsCNCT77juw0IRYlS0QpjgLR==", "key_type": "secp256r1", "last_seen_at": "2025-02-15T10:25:00Z", "revoked_at": null, "tunnel_type": "masque", "updated_at": "2025-02-15T10:25:00Z", "user": { "email": "bob@example.com", "id": "41434d2a-429e-5fd0-a3d8-6b9d5e36d5ad", "name": "Bob" } } ], "result_info": { "count": 2, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null }, "success": true } ``` ## Get registration `client.ZeroTrust.Devices.Registrations.Get(ctx, registrationID, params) (*DeviceRegistrationGetResponse, error)` **get** `/accounts/{account_id}/devices/registrations/{registration_id}` Fetches a single WARP registration. ### Parameters - `registrationID string` - `params DeviceRegistrationGetParams` - `AccountID param.Field[string]` Path param - `Include param.Field[string]` Query param: Comma-separated list of additional information that should be included in the registration response. Supported values are: "policy". ### Returns - `type DeviceRegistrationGetResponse struct{…}` A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device. - `ID string` The ID of the registration. - `CreatedAt string` The RFC3339 timestamp when the registration was created. - `Device DeviceRegistrationGetResponseDevice` Device details embedded inside of a registration. - `ID string` The ID of the device. - `Name string` The name of the device. - `ClientVersion string` Version of the WARP client. - `Key string` The public key used to connect to the Cloudflare network. - `LastSeenAt string` The RFC3339 timestamp when the registration was last seen. - `UpdatedAt string` The RFC3339 timestamp when the registration was last updated. - `DeletedAt string` The RFC3339 timestamp when the registration was deleted. - `KeyType string` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `Policy DeviceRegistrationGetResponsePolicy` The device settings profile assigned to this registration. - `ID string` The ID of the device settings profile. - `Default bool` Whether the device settings profile is the default profile for the account. - `Deleted bool` Whether the device settings profile was deleted. - `Name string` The name of the device settings profile. - `UpdatedAt string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `RevokedAt string` The RFC3339 timestamp when the registration was revoked. - `TunnelType string` Type of the tunnel - wireguard or masque. - `User DeviceRegistrationGetResponseUser` - `ID string` UUID. - `Email string` The contact email address of the user. - `Name string` The enrolled device user's name. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) registration, err := client.ZeroTrust.Devices.Registrations.Get( context.TODO(), "registration_id", zero_trust.DeviceRegistrationGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", registration.ID) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "created_at": "2025-02-14T13:17:00Z", "device": { "id": "32aa0404-78f1-49a4-99e0-97f575081356", "name": "My Device", "client_version": "1.0.0" }, "key": "U+QTP50RsWfeLGHF4tlGDnmGeuwtsz46KCHr5OyhWq00Rsdfl45mgnQAuEJ6CO0YrkyTl9FUf5iB0bwYR3g4EEFEHhtu6jFaqfMrBMBSz6itv9HQXkaR9OieKQ==", "last_seen_at": "2025-02-14T13:17:00Z", "updated_at": "2025-02-14T13:17:00Z", "deleted_at": "2025-02-14T13:17:00Z", "key_type": "secp256r1", "policy": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "default": true, "deleted": true, "name": "name", "updated_at": "2025-02-14T13:17:00Z" }, "revoked_at": "2025-02-14T13:17:00Z", "tunnel_type": "masque", "user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" } }, "success": true } ``` ## Delete registration `client.ZeroTrust.Devices.Registrations.Delete(ctx, registrationID, body) (*DeviceRegistrationDeleteResponse, error)` **delete** `/accounts/{account_id}/devices/registrations/{registration_id}` Deletes a WARP registration. ### Parameters - `registrationID string` - `body DeviceRegistrationDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DeviceRegistrationDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) registration, err := client.ZeroTrust.Devices.Registrations.Delete( context.TODO(), "registration_id", zero_trust.DeviceRegistrationDeleteParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", registration) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "success": true, "result": {} } ``` ## Delete registrations `client.ZeroTrust.Devices.Registrations.BulkDelete(ctx, params) (*DeviceRegistrationBulkDeleteResponse, error)` **delete** `/accounts/{account_id}/devices/registrations` Deletes a list of WARP registrations. ### Parameters - `params DeviceRegistrationBulkDeleteParams` - `AccountID param.Field[string]` Path param - `ID param.Field[[]string]` Query param: A list of registration IDs to delete. ### Returns - `type DeviceRegistrationBulkDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Devices.Registrations.BulkDelete(context.TODO(), zero_trust.DeviceRegistrationBulkDeleteParams{ AccountID: cloudflare.F("account_id"), ID: cloudflare.F([]string{"string"}), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": {}, "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Revoke registrations `client.ZeroTrust.Devices.Registrations.Revoke(ctx, params) (*DeviceRegistrationRevokeResponse, error)` **post** `/accounts/{account_id}/devices/registrations/revoke` Revokes a list of WARP registrations. ### Parameters - `params DeviceRegistrationRevokeParams` - `AccountID param.Field[string]` Path param - `ID param.Field[[]string]` Query param: A list of registration IDs to revoke. ### Returns - `type DeviceRegistrationRevokeResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Devices.Registrations.Revoke(context.TODO(), zero_trust.DeviceRegistrationRevokeParams{ AccountID: cloudflare.F("account_id"), ID: cloudflare.F([]string{"string"}), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": {}, "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Unrevoke registrations `client.ZeroTrust.Devices.Registrations.Unrevoke(ctx, params) (*DeviceRegistrationUnrevokeResponse, error)` **post** `/accounts/{account_id}/devices/registrations/unrevoke` Unrevokes a list of WARP registrations. ### Parameters - `params DeviceRegistrationUnrevokeParams` - `AccountID param.Field[string]` Path param - `ID param.Field[[]string]` Query param: A list of registration IDs to unrevoke. ### Returns - `type DeviceRegistrationUnrevokeResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Devices.Registrations.Unrevoke(context.TODO(), zero_trust.DeviceRegistrationUnrevokeParams{ AccountID: cloudflare.F("account_id"), ID: cloudflare.F([]string{"string"}), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": {}, "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` # DEX Tests ## List Device DEX tests `client.ZeroTrust.Devices.DEXTests.List(ctx, params) (*V4PagePaginationArray[DeviceDEXTestListResponse], error)` **get** `/accounts/{account_id}/dex/devices/dex_tests` Fetch all DEX tests ### Parameters - `params DeviceDEXTestListParams` - `AccountID param.Field[string]` Path param - `Kind param.Field[DeviceDEXTestListParamsKind]` Query param: Filter by test type - `const DeviceDEXTestListParamsKindHTTP DeviceDEXTestListParamsKind = "http"` - `const DeviceDEXTestListParamsKindTraceroute DeviceDEXTestListParamsKind = "traceroute"` - `Page param.Field[float64]` Query param: Page number of paginated results - `PerPage param.Field[float64]` Query param: Number of items per page - `TestName param.Field[string]` Query param: Filter by test name ### Returns - `type DeviceDEXTestListResponse struct{…}` - `Data DeviceDEXTestListResponseData` The configuration object which contains the details for the WARP client to conduct the test. - `Host string` The desired endpoint to test. - `Kind DeviceDEXTestListResponseDataKind` The type of test. - `const DeviceDEXTestListResponseDataKindHTTP DeviceDEXTestListResponseDataKind = "http"` - `const DeviceDEXTestListResponseDataKindTraceroute DeviceDEXTestListResponseDataKind = "traceroute"` - `Method DeviceDEXTestListResponseDataMethod` The HTTP request method type. - `const DeviceDEXTestListResponseDataMethodGet DeviceDEXTestListResponseDataMethod = "GET"` - `Enabled bool` Determines whether or not the test is active. - `Interval string` How often the test will run. - `Name string` The name of the DEX test. Must be unique. - `Description string` Additional details about the test. - `TargetPolicies []DeviceDEXTestListResponseTargetPolicy` DEX rules targeted by this test - `ID string` API Resource UUID tag. - `Default bool` Whether the DEX rule is the account default - `Name string` The name of the DEX rule - `Targeted bool` - `TestID string` The unique identifier for the test. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIKey("144c9defac04969c7bfad8efaa8ea194"), option.WithAPIEmail("user@example.com"), ) page, err := client.ZeroTrust.Devices.DEXTests.List(context.TODO(), zero_trust.DeviceDEXTestListParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } ] } ``` ## Get Device DEX test `client.ZeroTrust.Devices.DEXTests.Get(ctx, dexTestID, query) (*DeviceDEXTestGetResponse, error)` **get** `/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}` Fetch a single DEX test. ### Parameters - `dexTestID string` The unique identifier for the test. - `query DeviceDEXTestGetParams` - `AccountID param.Field[string]` ### Returns - `type DeviceDEXTestGetResponse struct{…}` - `Data DeviceDEXTestGetResponseData` The configuration object which contains the details for the WARP client to conduct the test. - `Host string` The desired endpoint to test. - `Kind DeviceDEXTestGetResponseDataKind` The type of test. - `const DeviceDEXTestGetResponseDataKindHTTP DeviceDEXTestGetResponseDataKind = "http"` - `const DeviceDEXTestGetResponseDataKindTraceroute DeviceDEXTestGetResponseDataKind = "traceroute"` - `Method DeviceDEXTestGetResponseDataMethod` The HTTP request method type. - `const DeviceDEXTestGetResponseDataMethodGet DeviceDEXTestGetResponseDataMethod = "GET"` - `Enabled bool` Determines whether or not the test is active. - `Interval string` How often the test will run. - `Name string` The name of the DEX test. Must be unique. - `Description string` Additional details about the test. - `TargetPolicies []DeviceDEXTestGetResponseTargetPolicy` DEX rules targeted by this test - `ID string` API Resource UUID tag. - `Default bool` Whether the DEX rule is the account default - `Name string` The name of the DEX rule - `Targeted bool` - `TestID string` The unique identifier for the test. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIKey("144c9defac04969c7bfad8efaa8ea194"), option.WithAPIEmail("user@example.com"), ) dexTest, err := client.ZeroTrust.Devices.DEXTests.Get( context.TODO(), "372e67954025e0ba6aaa6d586b9e0b59", zero_trust.DeviceDEXTestGetParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", dexTest.TestID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } } ``` ## Create Device DEX test `client.ZeroTrust.Devices.DEXTests.New(ctx, params) (*DeviceDEXTestNewResponse, error)` **post** `/accounts/{account_id}/dex/devices/dex_tests` Create a DEX test. ### Parameters - `params DeviceDEXTestNewParams` - `AccountID param.Field[string]` Path param - `Data param.Field[DeviceDEXTestNewParamsData]` Body param: The configuration object which contains the details for the WARP client to conduct the test. - `Host string` The desired endpoint to test. - `Kind DeviceDEXTestNewParamsDataKind` The type of test. - `const DeviceDEXTestNewParamsDataKindHTTP DeviceDEXTestNewParamsDataKind = "http"` - `const DeviceDEXTestNewParamsDataKindTraceroute DeviceDEXTestNewParamsDataKind = "traceroute"` - `Method DeviceDEXTestNewParamsDataMethod` The HTTP request method type. - `const DeviceDEXTestNewParamsDataMethodGet DeviceDEXTestNewParamsDataMethod = "GET"` - `Enabled param.Field[bool]` Body param: Determines whether or not the test is active. - `Interval param.Field[string]` Body param: How often the test will run. - `Name param.Field[string]` Body param: The name of the DEX test. Must be unique. - `Description param.Field[string]` Body param: Additional details about the test. - `TargetPolicies param.Field[[]DeviceDEXTestNewParamsTargetPolicy]` Body param: DEX rules targeted by this test - `ID string` API Resource UUID tag. - `Default bool` Whether the DEX rule is the account default - `Name string` The name of the DEX rule - `Targeted param.Field[bool]` Body param ### Returns - `type DeviceDEXTestNewResponse struct{…}` - `Data DeviceDEXTestNewResponseData` The configuration object which contains the details for the WARP client to conduct the test. - `Host string` The desired endpoint to test. - `Kind DeviceDEXTestNewResponseDataKind` The type of test. - `const DeviceDEXTestNewResponseDataKindHTTP DeviceDEXTestNewResponseDataKind = "http"` - `const DeviceDEXTestNewResponseDataKindTraceroute DeviceDEXTestNewResponseDataKind = "traceroute"` - `Method DeviceDEXTestNewResponseDataMethod` The HTTP request method type. - `const DeviceDEXTestNewResponseDataMethodGet DeviceDEXTestNewResponseDataMethod = "GET"` - `Enabled bool` Determines whether or not the test is active. - `Interval string` How often the test will run. - `Name string` The name of the DEX test. Must be unique. - `Description string` Additional details about the test. - `TargetPolicies []DeviceDEXTestNewResponseTargetPolicy` DEX rules targeted by this test - `ID string` API Resource UUID tag. - `Default bool` Whether the DEX rule is the account default - `Name string` The name of the DEX rule - `Targeted bool` - `TestID string` The unique identifier for the test. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIKey("144c9defac04969c7bfad8efaa8ea194"), option.WithAPIEmail("user@example.com"), ) dexTest, err := client.ZeroTrust.Devices.DEXTests.New(context.TODO(), zero_trust.DeviceDEXTestNewParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), Data: cloudflare.F(zero_trust.DeviceDEXTestNewParamsData{ Host: cloudflare.F("https://dash.cloudflare.com"), Kind: cloudflare.F(zero_trust.DeviceDEXTestNewParamsDataKindHTTP), }), Enabled: cloudflare.F(true), Interval: cloudflare.F("30m"), Name: cloudflare.F("HTTP dash health check"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", dexTest.TestID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } } ``` ## Update Device DEX test `client.ZeroTrust.Devices.DEXTests.Update(ctx, dexTestID, params) (*DeviceDEXTestUpdateResponse, error)` **put** `/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}` Update a DEX test. ### Parameters - `dexTestID string` API Resource UUID tag. - `params DeviceDEXTestUpdateParams` - `AccountID param.Field[string]` Path param - `Data param.Field[DeviceDEXTestUpdateParamsData]` Body param: The configuration object which contains the details for the WARP client to conduct the test. - `Host string` The desired endpoint to test. - `Kind DeviceDEXTestUpdateParamsDataKind` The type of test. - `const DeviceDEXTestUpdateParamsDataKindHTTP DeviceDEXTestUpdateParamsDataKind = "http"` - `const DeviceDEXTestUpdateParamsDataKindTraceroute DeviceDEXTestUpdateParamsDataKind = "traceroute"` - `Method DeviceDEXTestUpdateParamsDataMethod` The HTTP request method type. - `const DeviceDEXTestUpdateParamsDataMethodGet DeviceDEXTestUpdateParamsDataMethod = "GET"` - `Enabled param.Field[bool]` Body param: Determines whether or not the test is active. - `Interval param.Field[string]` Body param: How often the test will run. - `Name param.Field[string]` Body param: The name of the DEX test. Must be unique. - `Description param.Field[string]` Body param: Additional details about the test. - `TargetPolicies param.Field[[]DeviceDEXTestUpdateParamsTargetPolicy]` Body param: DEX rules targeted by this test - `ID string` API Resource UUID tag. - `Default bool` Whether the DEX rule is the account default - `Name string` The name of the DEX rule - `Targeted param.Field[bool]` Body param ### Returns - `type DeviceDEXTestUpdateResponse struct{…}` - `Data DeviceDEXTestUpdateResponseData` The configuration object which contains the details for the WARP client to conduct the test. - `Host string` The desired endpoint to test. - `Kind DeviceDEXTestUpdateResponseDataKind` The type of test. - `const DeviceDEXTestUpdateResponseDataKindHTTP DeviceDEXTestUpdateResponseDataKind = "http"` - `const DeviceDEXTestUpdateResponseDataKindTraceroute DeviceDEXTestUpdateResponseDataKind = "traceroute"` - `Method DeviceDEXTestUpdateResponseDataMethod` The HTTP request method type. - `const DeviceDEXTestUpdateResponseDataMethodGet DeviceDEXTestUpdateResponseDataMethod = "GET"` - `Enabled bool` Determines whether or not the test is active. - `Interval string` How often the test will run. - `Name string` The name of the DEX test. Must be unique. - `Description string` Additional details about the test. - `TargetPolicies []DeviceDEXTestUpdateResponseTargetPolicy` DEX rules targeted by this test - `ID string` API Resource UUID tag. - `Default bool` Whether the DEX rule is the account default - `Name string` The name of the DEX rule - `Targeted bool` - `TestID string` The unique identifier for the test. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIKey("144c9defac04969c7bfad8efaa8ea194"), option.WithAPIEmail("user@example.com"), ) dexTest, err := client.ZeroTrust.Devices.DEXTests.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DeviceDEXTestUpdateParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), Data: cloudflare.F(zero_trust.DeviceDEXTestUpdateParamsData{ Host: cloudflare.F("https://dash.cloudflare.com"), Kind: cloudflare.F(zero_trust.DeviceDEXTestUpdateParamsDataKindHTTP), }), Enabled: cloudflare.F(true), Interval: cloudflare.F("30m"), Name: cloudflare.F("HTTP dash health check"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", dexTest.TestID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } } ``` ## Delete Device DEX test `client.ZeroTrust.Devices.DEXTests.Delete(ctx, dexTestID, body) (*DeviceDEXTestDeleteResponse, error)` **delete** `/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}` Delete a Device DEX test. Returns the remaining device dex tests for the account. ### Parameters - `dexTestID string` API Resource UUID tag. - `body DeviceDEXTestDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DeviceDEXTestDeleteResponse struct{…}` - `DEXTests []DeviceDEXTestDeleteResponseDEXTest` - `Data DeviceDEXTestDeleteResponseDEXTestsData` The configuration object which contains the details for the WARP client to conduct the test. - `Host string` The desired endpoint to test. - `Kind DeviceDEXTestDeleteResponseDEXTestsDataKind` The type of test. - `const DeviceDEXTestDeleteResponseDEXTestsDataKindHTTP DeviceDEXTestDeleteResponseDEXTestsDataKind = "http"` - `const DeviceDEXTestDeleteResponseDEXTestsDataKindTraceroute DeviceDEXTestDeleteResponseDEXTestsDataKind = "traceroute"` - `Method DeviceDEXTestDeleteResponseDEXTestsDataMethod` The HTTP request method type. - `const DeviceDEXTestDeleteResponseDEXTestsDataMethodGet DeviceDEXTestDeleteResponseDEXTestsDataMethod = "GET"` - `Enabled bool` Determines whether or not the test is active. - `Interval string` How often the test will run. - `Name string` The name of the DEX test. Must be unique. - `Description string` Additional details about the test. - `TargetPolicies []DeviceDEXTestDeleteResponseDEXTestsTargetPolicy` DEX rules targeted by this test - `ID string` API Resource UUID tag. - `Default bool` Whether the DEX rule is the account default - `Name string` The name of the DEX rule - `Targeted bool` - `TestID string` The unique identifier for the test. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIKey("144c9defac04969c7bfad8efaa8ea194"), option.WithAPIEmail("user@example.com"), ) dexTest, err := client.ZeroTrust.Devices.DEXTests.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DeviceDEXTestDeleteParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", dexTest.DEXTests) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "dex_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } ] } } ``` ## Domain Types ### Schema Data - `type SchemaData struct{…}` The configuration object which contains the details for the WARP client to conduct the test. - `Host string` The desired endpoint to test. - `Kind string` The type of test. - `Method string` The HTTP request method type. ### Schema HTTP - `type SchemaHTTP struct{…}` - `Data SchemaData` The configuration object which contains the details for the WARP client to conduct the test. - `Host string` The desired endpoint to test. - `Kind string` The type of test. - `Method string` The HTTP request method type. - `Enabled bool` Determines whether or not the test is active. - `Interval string` How often the test will run. - `Name string` The name of the DEX test. Must be unique. - `Description string` Additional details about the test. - `TargetPolicies []SchemaHTTPTargetPolicy` Device settings profiles targeted by this test. - `ID string` The id of the device settings profile. - `Default bool` Whether the profile is the account default. - `Name string` The name of the device settings profile. - `Targeted bool` - `TestID string` The unique identifier for the test. # IP Profiles ## List IP profiles `client.ZeroTrust.Devices.IPProfiles.List(ctx, params) (*SinglePage[IPProfile], error)` **get** `/accounts/{account_id}/devices/ip-profiles` Lists WARP Device IP profiles. ### Parameters - `params DeviceIPProfileListParams` - `AccountID param.Field[string]` Path param - `PerPage param.Field[int64]` Query param: The number of IP profiles to return per page. ### Returns - `type IPProfile struct{…}` - `ID string` The ID of the Device IP profile. - `CreatedAt string` The RFC3339Nano timestamp when the Device IP profile was created. - `Description string` An optional description of the Device IP profile. - `Enabled bool` Whether the Device IP profile is enabled. - `Match string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `Name string` A user-friendly name for the Device IP profile. - `Precedence int64` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `SubnetID string` The ID of the Subnet. - `UpdatedAt string` The RFC3339Nano timestamp when the Device IP profile was last updated. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.IPProfiles.List(context.TODO(), zero_trust.DeviceIPProfileListParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 10, "total_count": 10, "total_pages": 1 } } ``` ## Get IP profile `client.ZeroTrust.Devices.IPProfiles.Get(ctx, profileID, query) (*IPProfile, error)` **get** `/accounts/{account_id}/devices/ip-profiles/{profile_id}` Fetches a single WARP Device IP profile. ### Parameters - `profileID string` - `query DeviceIPProfileGetParams` - `AccountID param.Field[string]` ### Returns - `type IPProfile struct{…}` - `ID string` The ID of the Device IP profile. - `CreatedAt string` The RFC3339Nano timestamp when the Device IP profile was created. - `Description string` An optional description of the Device IP profile. - `Enabled bool` Whether the Device IP profile is enabled. - `Match string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `Name string` A user-friendly name for the Device IP profile. - `Precedence int64` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `SubnetID string` The ID of the Subnet. - `UpdatedAt string` The RFC3339Nano timestamp when the Device IP profile was last updated. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) ipProfile, err := client.ZeroTrust.Devices.IPProfiles.Get( context.TODO(), "profile_id", zero_trust.DeviceIPProfileGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ipProfile.ID) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" }, "success": true } ``` ## Create IP profile `client.ZeroTrust.Devices.IPProfiles.New(ctx, params) (*IPProfile, error)` **post** `/accounts/{account_id}/devices/ip-profiles` Creates a WARP Device IP profile. Currently, only IPv4 Device subnets can be associated. ### Parameters - `params DeviceIPProfileNewParams` - `AccountID param.Field[string]` Path param - `Match param.Field[string]` Body param: The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `Name param.Field[string]` Body param: A user-friendly name for the Device IP profile. - `Precedence param.Field[int64]` Body param: The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `SubnetID param.Field[string]` Body param: The ID of the Subnet. - `Description param.Field[string]` Body param: An optional description of the Device IP profile. - `Enabled param.Field[bool]` Body param: Whether the Device IP profile will be applied to matching devices. ### Returns - `type IPProfile struct{…}` - `ID string` The ID of the Device IP profile. - `CreatedAt string` The RFC3339Nano timestamp when the Device IP profile was created. - `Description string` An optional description of the Device IP profile. - `Enabled bool` Whether the Device IP profile is enabled. - `Match string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `Name string` A user-friendly name for the Device IP profile. - `Precedence int64` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `SubnetID string` The ID of the Subnet. - `UpdatedAt string` The RFC3339Nano timestamp when the Device IP profile was last updated. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) ipProfile, err := client.ZeroTrust.Devices.IPProfiles.New(context.TODO(), zero_trust.DeviceIPProfileNewParams{ AccountID: cloudflare.F("account_id"), Match: cloudflare.F(`identity.email == "test@cloudflare.com"`), Name: cloudflare.F("IPv4 Cloudflare Source IPs"), Precedence: cloudflare.F(int64(100)), SubnetID: cloudflare.F("b70ff985-a4ef-4643-bbbc-4a0ed4fc8415"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ipProfile.ID) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" }, "success": true } ``` ## Update IP profile `client.ZeroTrust.Devices.IPProfiles.Update(ctx, profileID, params) (*IPProfile, error)` **patch** `/accounts/{account_id}/devices/ip-profiles/{profile_id}` Updates a WARP Device IP profile. Currently, only IPv4 Device subnets can be associated. ### Parameters - `profileID string` - `params DeviceIPProfileUpdateParams` - `AccountID param.Field[string]` Path param - `Description param.Field[string]` Body param: An optional description of the Device IP profile. - `Enabled param.Field[bool]` Body param: Whether the Device IP profile is enabled. - `Match param.Field[string]` Body param: The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `Name param.Field[string]` Body param: A user-friendly name for the Device IP profile. - `Precedence param.Field[int64]` Body param: The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `SubnetID param.Field[string]` Body param: The ID of the Subnet. ### Returns - `type IPProfile struct{…}` - `ID string` The ID of the Device IP profile. - `CreatedAt string` The RFC3339Nano timestamp when the Device IP profile was created. - `Description string` An optional description of the Device IP profile. - `Enabled bool` Whether the Device IP profile is enabled. - `Match string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `Name string` A user-friendly name for the Device IP profile. - `Precedence int64` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `SubnetID string` The ID of the Subnet. - `UpdatedAt string` The RFC3339Nano timestamp when the Device IP profile was last updated. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) ipProfile, err := client.ZeroTrust.Devices.IPProfiles.Update( context.TODO(), "profile_id", zero_trust.DeviceIPProfileUpdateParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ipProfile.ID) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" }, "success": true } ``` ## Delete IP profile `client.ZeroTrust.Devices.IPProfiles.Delete(ctx, profileID, body) (*DeviceIPProfileDeleteResponse, error)` **delete** `/accounts/{account_id}/devices/ip-profiles/{profile_id}` Delete a WARP Device IP profile. ### Parameters - `profileID string` - `body DeviceIPProfileDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DeviceIPProfileDeleteResponse struct{…}` - `ID string` ID of the deleted Device IP profile. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) ipProfile, err := client.ZeroTrust.Devices.IPProfiles.Delete( context.TODO(), "profile_id", zero_trust.DeviceIPProfileDeleteParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ipProfile.ID) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Domain Types ### IP Profile - `type IPProfile struct{…}` - `ID string` The ID of the Device IP profile. - `CreatedAt string` The RFC3339Nano timestamp when the Device IP profile was created. - `Description string` An optional description of the Device IP profile. - `Enabled bool` Whether the Device IP profile is enabled. - `Match string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `Name string` A user-friendly name for the Device IP profile. - `Precedence int64` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `SubnetID string` The ID of the Subnet. - `UpdatedAt string` The RFC3339Nano timestamp when the Device IP profile was last updated. # Networks ## List your device managed networks `client.ZeroTrust.Devices.Networks.List(ctx, query) (*SinglePage[DeviceNetwork], error)` **get** `/accounts/{account_id}/devices/networks` Fetches a list of managed networks for an account. ### Parameters - `query DeviceNetworkListParams` - `AccountID param.Field[string]` ### Returns - `type DeviceNetwork struct{…}` - `Config DeviceNetworkConfig` The configuration object containing information for the WARP client to detect the managed network. - `TLSSockaddr string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `Sha256 string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `Name string` The name of the device managed network. This name must be unique. - `NetworkID string` API UUID. - `Type DeviceNetworkType` The type of device managed network. - `const DeviceNetworkTypeTLS DeviceNetworkType = "tls"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Networks.List(context.TODO(), zero_trust.DeviceNetworkListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device managed network details `client.ZeroTrust.Devices.Networks.Get(ctx, networkID, query) (*DeviceNetwork, error)` **get** `/accounts/{account_id}/devices/networks/{network_id}` Fetches details for a single managed network. ### Parameters - `networkID string` API UUID. - `query DeviceNetworkGetParams` - `AccountID param.Field[string]` ### Returns - `type DeviceNetwork struct{…}` - `Config DeviceNetworkConfig` The configuration object containing information for the WARP client to detect the managed network. - `TLSSockaddr string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `Sha256 string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `Name string` The name of the device managed network. This name must be unique. - `NetworkID string` API UUID. - `Type DeviceNetworkType` The type of device managed network. - `const DeviceNetworkTypeTLS DeviceNetworkType = "tls"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) deviceNetwork, err := client.ZeroTrust.Devices.Networks.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DeviceNetworkGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", deviceNetwork.NetworkID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" }, "success": true } ``` ## Create a device managed network `client.ZeroTrust.Devices.Networks.New(ctx, params) (*DeviceNetwork, error)` **post** `/accounts/{account_id}/devices/networks` Creates a new device managed network. ### Parameters - `params DeviceNetworkNewParams` - `AccountID param.Field[string]` Path param - `Config param.Field[DeviceNetworkNewParamsConfig]` Body param: The configuration object containing information for the WARP client to detect the managed network. - `TLSSockaddr string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `Sha256 string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `Name param.Field[string]` Body param: The name of the device managed network. This name must be unique. - `Type param.Field[DeviceNetworkNewParamsType]` Body param: The type of device managed network. - `const DeviceNetworkNewParamsTypeTLS DeviceNetworkNewParamsType = "tls"` ### Returns - `type DeviceNetwork struct{…}` - `Config DeviceNetworkConfig` The configuration object containing information for the WARP client to detect the managed network. - `TLSSockaddr string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `Sha256 string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `Name string` The name of the device managed network. This name must be unique. - `NetworkID string` API UUID. - `Type DeviceNetworkType` The type of device managed network. - `const DeviceNetworkTypeTLS DeviceNetworkType = "tls"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) deviceNetwork, err := client.ZeroTrust.Devices.Networks.New(context.TODO(), zero_trust.DeviceNetworkNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Config: cloudflare.F(zero_trust.DeviceNetworkNewParamsConfig{ TLSSockaddr: cloudflare.F("foo.bar:1234"), }), Name: cloudflare.F("managed-network-1"), Type: cloudflare.F(zero_trust.DeviceNetworkNewParamsTypeTLS), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", deviceNetwork.NetworkID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" }, "success": true } ``` ## Update a device managed network `client.ZeroTrust.Devices.Networks.Update(ctx, networkID, params) (*DeviceNetwork, error)` **put** `/accounts/{account_id}/devices/networks/{network_id}` Updates a configured device managed network. ### Parameters - `networkID string` API UUID. - `params DeviceNetworkUpdateParams` - `AccountID param.Field[string]` Path param - `Config param.Field[DeviceNetworkUpdateParamsConfig]` Body param: The configuration object containing information for the WARP client to detect the managed network. - `TLSSockaddr string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `Sha256 string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `Name param.Field[string]` Body param: The name of the device managed network. This name must be unique. - `Type param.Field[DeviceNetworkUpdateParamsType]` Body param: The type of device managed network. - `const DeviceNetworkUpdateParamsTypeTLS DeviceNetworkUpdateParamsType = "tls"` ### Returns - `type DeviceNetwork struct{…}` - `Config DeviceNetworkConfig` The configuration object containing information for the WARP client to detect the managed network. - `TLSSockaddr string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `Sha256 string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `Name string` The name of the device managed network. This name must be unique. - `NetworkID string` API UUID. - `Type DeviceNetworkType` The type of device managed network. - `const DeviceNetworkTypeTLS DeviceNetworkType = "tls"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) deviceNetwork, err := client.ZeroTrust.Devices.Networks.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DeviceNetworkUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", deviceNetwork.NetworkID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" }, "success": true } ``` ## Delete a device managed network `client.ZeroTrust.Devices.Networks.Delete(ctx, networkID, body) (*SinglePage[DeviceNetwork], error)` **delete** `/accounts/{account_id}/devices/networks/{network_id}` Deletes a device managed network and fetches a list of the remaining device managed networks for an account. ### Parameters - `networkID string` API UUID. - `body DeviceNetworkDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DeviceNetwork struct{…}` - `Config DeviceNetworkConfig` The configuration object containing information for the WARP client to detect the managed network. - `TLSSockaddr string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `Sha256 string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `Name string` The name of the device managed network. This name must be unique. - `NetworkID string` API UUID. - `Type DeviceNetworkType` The type of device managed network. - `const DeviceNetworkTypeTLS DeviceNetworkType = "tls"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Networks.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DeviceNetworkDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Device Network - `type DeviceNetwork struct{…}` - `Config DeviceNetworkConfig` The configuration object containing information for the WARP client to detect the managed network. - `TLSSockaddr string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `Sha256 string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `Name string` The name of the device managed network. This name must be unique. - `NetworkID string` API UUID. - `Type DeviceNetworkType` The type of device managed network. - `const DeviceNetworkTypeTLS DeviceNetworkType = "tls"` # Fleet Status ## Get the live status of a latest device `client.ZeroTrust.Devices.FleetStatus.Get(ctx, deviceID, params) (*DeviceFleetStatusGetResponse, error)` **get** `/accounts/{account_id}/dex/devices/{device_id}/fleet-status/live` Get the live status of a latest device given device_id from the device_state table ### Parameters - `deviceID string` Device-specific ID, given as UUID v4 - `params DeviceFleetStatusGetParams` - `AccountID param.Field[string]` Path param: Unique identifier for account - `SinceMinutes param.Field[float64]` Query param: Number of minutes before current time - `Colo param.Field[string]` Query param: List of data centers to filter results - `TimeNow param.Field[string]` Query param: Number of minutes before current time ### Returns - `type DeviceFleetStatusGetResponse struct{…}` - `Colo string` Cloudflare colo - `DeviceID string` Device identifier (UUID v4) - `Mode string` The mode under which the WARP client is run - `Platform string` Operating system - `Status string` Network status - `Timestamp string` Timestamp in ISO format - `Version string` WARP client version - `AlwaysOn bool` - `BatteryCharging bool` - `BatteryCycles int64` - `BatteryPct float64` - `ConnectionType string` - `CPUPct float64` - `CPUPctByApp [][]DeviceFleetStatusGetResponseCPUPctByApp` - `CPUPct float64` - `Name string` - `DeviceIPV4 DeviceFleetStatusGetResponseDeviceIPV4` - `Address string` - `ASN int64` - `Aso string` - `Location DeviceFleetStatusGetResponseDeviceIPV4Location` - `City string` - `CountryISO string` - `StateISO string` - `Zip string` - `Netmask string` - `Version string` - `DeviceIPV6 DeviceFleetStatusGetResponseDeviceIPV6` - `Address string` - `ASN int64` - `Aso string` - `Location DeviceFleetStatusGetResponseDeviceIPV6Location` - `City string` - `CountryISO string` - `StateISO string` - `Zip string` - `Netmask string` - `Version string` - `DeviceName string` Device identifier (human readable) - `DiskReadBps int64` - `DiskUsagePct float64` - `DiskWriteBps int64` - `DOHSubdomain string` - `EstimatedLossPct float64` - `FirewallEnabled bool` - `GatewayIPV4 DeviceFleetStatusGetResponseGatewayIPV4` - `Address string` - `ASN int64` - `Aso string` - `Location DeviceFleetStatusGetResponseGatewayIPV4Location` - `City string` - `CountryISO string` - `StateISO string` - `Zip string` - `Netmask string` - `Version string` - `GatewayIPV6 DeviceFleetStatusGetResponseGatewayIPV6` - `Address string` - `ASN int64` - `Aso string` - `Location DeviceFleetStatusGetResponseGatewayIPV6Location` - `City string` - `CountryISO string` - `StateISO string` - `Zip string` - `Netmask string` - `Version string` - `HandshakeLatencyMs float64` - `ISPIPV4 DeviceFleetStatusGetResponseISPIPV4` - `Address string` - `ASN int64` - `Aso string` - `Location DeviceFleetStatusGetResponseISPIPV4Location` - `City string` - `CountryISO string` - `StateISO string` - `Zip string` - `Netmask string` - `Version string` - `ISPIPV6 DeviceFleetStatusGetResponseISPIPV6` - `Address string` - `ASN int64` - `Aso string` - `Location DeviceFleetStatusGetResponseISPIPV6Location` - `City string` - `CountryISO string` - `StateISO string` - `Zip string` - `Netmask string` - `Version string` - `Metal string` - `NetworkRcvdBps int64` - `NetworkSentBps int64` - `NetworkSsid string` - `PersonEmail string` User contact email address - `RamAvailableKB int64` - `RamUsedPct float64` - `RamUsedPctByApp [][]DeviceFleetStatusGetResponseRamUsedPctByApp` - `Name string` - `RamUsedPct float64` - `SwitchLocked bool` - `WifiStrengthDbm int64` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) fleetStatus, err := client.ZeroTrust.Devices.FleetStatus.Get( context.TODO(), "cb49c27f-7f97-49c5-b6f3-f7c01ead0fd7", zero_trust.DeviceFleetStatusGetParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), SinceMinutes: cloudflare.F(10.000000), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", fleetStatus.NetworkSsid) } ``` #### Response ```json { "colo": "SJC", "deviceId": "deviceId", "mode": "proxy", "platform": "windows", "status": "connected", "timestamp": "2023-10-11T00:00:00Z", "version": "1.0.0", "alwaysOn": true, "batteryCharging": true, "batteryCycles": 0, "batteryPct": 0, "connectionType": "connectionType", "cpuPct": 0, "cpuPctByApp": [ [ { "cpu_pct": 0, "name": "name" } ] ], "deviceIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceName": "deviceName", "diskReadBps": 0, "diskUsagePct": 0, "diskWriteBps": 0, "dohSubdomain": "dohSubdomain", "estimatedLossPct": 0, "firewallEnabled": true, "gatewayIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "gatewayIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "handshakeLatencyMs": 0, "ispIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "ispIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "metal": "metal", "networkRcvdBps": 0, "networkSentBps": 0, "networkSsid": "networkSsid", "personEmail": "personEmail", "ramAvailableKb": 0, "ramUsedPct": 0, "ramUsedPctByApp": [ [ { "name": "name", "ram_used_pct": 0 } ] ], "switchLocked": true, "wifiStrengthDbm": 0 } ``` # Policies ## Domain Types ### Device Policy Certificates - `type DevicePolicyCertificates struct{…}` - `Enabled bool` The current status of the device policy certificate provisioning feature for WARP clients. ### Fallback Domain - `type FallbackDomain struct{…}` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. ### Fallback Domain Policy - `type FallbackDomainPolicy []FallbackDomain` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. ### Settings Policy - `type SettingsPolicy struct{…}` - `AllowModeSwitch bool` Whether to allow the user to switch WARP between modes. - `AllowUpdates bool` Whether to receive update notifications when a new version of the client is available. - `AllowedToLeave bool` Whether to allow devices to leave the organization. - `AutoConnect float64` The amount of time in seconds to reconnect after having been disabled. - `CaptivePortal float64` Turn on the captive portal after the specified amount of time. - `Default bool` Whether the policy is the default policy for an account. - `Description string` A description of the policy. - `DisableAutoFallback bool` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `Enabled bool` Whether the policy will be applied to matching devices. - `Exclude []SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `ExcludeOfficeIPs bool` Whether to add Microsoft IPs to Split Tunnel exclusions. - `FallbackDomains []FallbackDomain` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. - `GatewayUniqueID string` - `Include []SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `LANAllowMinutes float64` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `LANAllowSubnetSize float64` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `Match string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `Name string` The name of the device settings profile. - `PolicyID string` - `Precedence float64` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `RegisterInterfaceIPWithDNS bool` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `SccmVpnBoundarySupport bool` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `ServiceModeV2 SettingsPolicyServiceModeV2` - `Mode string` The mode to run the WARP client under. - `Port float64` The port number when used with proxy mode. - `SupportURL string` The URL to launch when the Send Feedback button is clicked. - `SwitchLocked bool` Whether to allow the user to turn off the WARP switch and disconnect the client. - `TargetTests []SettingsPolicyTargetTest` - `ID string` The id of the DEX test targeting this policy. - `Name string` The name of the DEX test targeting this policy. - `TunnelProtocol string` Determines which tunnel protocol to use. ### Split Tunnel Exclude - `type SplitTunnelExclude interface{…}` - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. ### Split Tunnel Include - `type SplitTunnelInclude interface{…}` - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. # Default ## Get the default device settings profile `client.ZeroTrust.Devices.Policies.Default.Get(ctx, query) (*DevicePolicyDefaultGetResponse, error)` **get** `/accounts/{account_id}/devices/policy` Fetches the default device settings profile for an account. ### Parameters - `query DevicePolicyDefaultGetParams` - `AccountID param.Field[string]` ### Returns - `type DevicePolicyDefaultGetResponse struct{…}` - `AllowModeSwitch bool` Whether to allow the user to switch WARP between modes. - `AllowUpdates bool` Whether to receive update notifications when a new version of the client is available. - `AllowedToLeave bool` Whether to allow devices to leave the organization. - `AutoConnect float64` The amount of time in seconds to reconnect after having been disabled. - `CaptivePortal float64` Turn on the captive portal after the specified amount of time. - `Default bool` Whether the policy will be applied to matching devices. - `DisableAutoFallback bool` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `Enabled bool` Whether the policy will be applied to matching devices. - `Exclude []SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `ExcludeOfficeIPs bool` Whether to add Microsoft IPs to Split Tunnel exclusions. - `FallbackDomains []FallbackDomain` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. - `GatewayUniqueID string` - `Include []SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `RegisterInterfaceIPWithDNS bool` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `SccmVpnBoundarySupport bool` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `ServiceModeV2 DevicePolicyDefaultGetResponseServiceModeV2` - `Mode string` The mode to run the WARP client under. - `Port float64` The port number when used with proxy mode. - `SupportURL string` The URL to launch when the Send Feedback button is clicked. - `SwitchLocked bool` Whether to allow the user to turn off the WARP switch and disconnect the client. - `TunnelProtocol string` Determines which tunnel protocol to use. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) default_, err := client.ZeroTrust.Devices.Policies.Default.Get(context.TODO(), zero_trust.DevicePolicyDefaultGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", default_.GatewayUniqueID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": true, "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "tunnel_protocol": "wireguard" }, "success": true } ``` ## Update the default device settings profile `client.ZeroTrust.Devices.Policies.Default.Edit(ctx, params) (*DevicePolicyDefaultEditResponse, error)` **patch** `/accounts/{account_id}/devices/policy` Updates the default device settings profile for an account. ### Parameters - `params DevicePolicyDefaultEditParams` - `AccountID param.Field[string]` Path param - `AllowModeSwitch param.Field[bool]` Body param: Whether to allow the user to switch WARP between modes. - `AllowUpdates param.Field[bool]` Body param: Whether to receive update notifications when a new version of the client is available. - `AllowedToLeave param.Field[bool]` Body param: Whether to allow devices to leave the organization. - `AutoConnect param.Field[float64]` Body param: The amount of time in seconds to reconnect after having been disabled. - `CaptivePortal param.Field[float64]` Body param: Turn on the captive portal after the specified amount of time. - `DisableAutoFallback param.Field[bool]` Body param: If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `Exclude param.Field[[]SplitTunnelExclude]` Body param: List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `ExcludeOfficeIPs param.Field[bool]` Body param: Whether to add Microsoft IPs to Split Tunnel exclusions. - `Include param.Field[[]SplitTunnelInclude]` Body param: List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `LANAllowMinutes param.Field[float64]` Body param: The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `LANAllowSubnetSize param.Field[float64]` Body param: The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `RegisterInterfaceIPWithDNS param.Field[bool]` Body param: Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `SccmVpnBoundarySupport param.Field[bool]` Body param: Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `ServiceModeV2 param.Field[DevicePolicyDefaultEditParamsServiceModeV2]` Body param - `Mode string` The mode to run the WARP client under. - `Port float64` The port number when used with proxy mode. - `SupportURL param.Field[string]` Body param: The URL to launch when the Send Feedback button is clicked. - `SwitchLocked param.Field[bool]` Body param: Whether to allow the user to turn off the WARP switch and disconnect the client. - `TunnelProtocol param.Field[string]` Body param: Determines which tunnel protocol to use. ### Returns - `type DevicePolicyDefaultEditResponse struct{…}` - `AllowModeSwitch bool` Whether to allow the user to switch WARP between modes. - `AllowUpdates bool` Whether to receive update notifications when a new version of the client is available. - `AllowedToLeave bool` Whether to allow devices to leave the organization. - `AutoConnect float64` The amount of time in seconds to reconnect after having been disabled. - `CaptivePortal float64` Turn on the captive portal after the specified amount of time. - `Default bool` Whether the policy will be applied to matching devices. - `DisableAutoFallback bool` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `Enabled bool` Whether the policy will be applied to matching devices. - `Exclude []SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `ExcludeOfficeIPs bool` Whether to add Microsoft IPs to Split Tunnel exclusions. - `FallbackDomains []FallbackDomain` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. - `GatewayUniqueID string` - `Include []SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `RegisterInterfaceIPWithDNS bool` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `SccmVpnBoundarySupport bool` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `ServiceModeV2 DevicePolicyDefaultEditResponseServiceModeV2` - `Mode string` The mode to run the WARP client under. - `Port float64` The port number when used with proxy mode. - `SupportURL string` The URL to launch when the Send Feedback button is clicked. - `SwitchLocked bool` Whether to allow the user to turn off the WARP switch and disconnect the client. - `TunnelProtocol string` Determines which tunnel protocol to use. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Devices.Policies.Default.Edit(context.TODO(), zero_trust.DevicePolicyDefaultEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.GatewayUniqueID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": true, "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "tunnel_protocol": "wireguard" }, "success": true } ``` # Excludes ## Get the Split Tunnel exclude list `client.ZeroTrust.Devices.Policies.Default.Excludes.Get(ctx, query) (*SinglePage[SplitTunnelExclude], error)` **get** `/accounts/{account_id}/devices/policy/exclude` Fetches the list of routes excluded from the WARP client's tunnel. ### Parameters - `query DevicePolicyDefaultExcludeGetParams` - `AccountID param.Field[string]` ### Returns - `type SplitTunnelExclude interface{…}` - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Default.Excludes.Get(context.TODO(), zero_trust.DevicePolicyDefaultExcludeGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel exclude list `client.ZeroTrust.Devices.Policies.Default.Excludes.Update(ctx, params) (*SinglePage[SplitTunnelExclude], error)` **put** `/accounts/{account_id}/devices/policy/exclude` Sets the list of routes excluded from the WARP client's tunnel. ### Parameters - `params DevicePolicyDefaultExcludeUpdateParams` - `AccountID param.Field[string]` Path param - `Body param.Field[[]SplitTunnelExclude]` Body param - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `type SplitTunnelExclude interface{…}` - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Default.Excludes.Update(context.TODO(), zero_trust.DevicePolicyDefaultExcludeUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: []zero_trust.SplitTunnelExcludeUnionParam{zero_trust.SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddressParam{ Address: cloudflare.F("192.0.2.0/24"), }}, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Includes ## Get the Split Tunnel include list `client.ZeroTrust.Devices.Policies.Default.Includes.Get(ctx, query) (*SinglePage[SplitTunnelInclude], error)` **get** `/accounts/{account_id}/devices/policy/include` Fetches the list of routes included in the WARP client's tunnel. ### Parameters - `query DevicePolicyDefaultIncludeGetParams` - `AccountID param.Field[string]` ### Returns - `type SplitTunnelInclude interface{…}` - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Default.Includes.Get(context.TODO(), zero_trust.DevicePolicyDefaultIncludeGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel include list `client.ZeroTrust.Devices.Policies.Default.Includes.Update(ctx, params) (*SinglePage[SplitTunnelInclude], error)` **put** `/accounts/{account_id}/devices/policy/include` Sets the list of routes included in the WARP client's tunnel. ### Parameters - `params DevicePolicyDefaultIncludeUpdateParams` - `AccountID param.Field[string]` Path param - `Body param.Field[[]SplitTunnelInclude]` Body param - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `type SplitTunnelInclude interface{…}` - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Default.Includes.Update(context.TODO(), zero_trust.DevicePolicyDefaultIncludeUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: []zero_trust.SplitTunnelIncludeUnionParam{zero_trust.SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddressParam{ Address: cloudflare.F("192.0.2.0/24"), }}, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Fallback Domains ## Get your Local Domain Fallback list `client.ZeroTrust.Devices.Policies.Default.FallbackDomains.Get(ctx, query) (*SinglePage[FallbackDomain], error)` **get** `/accounts/{account_id}/devices/policy/fallback_domains` Fetches a list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. ### Parameters - `query DevicePolicyDefaultFallbackDomainGetParams` - `AccountID param.Field[string]` ### Returns - `type FallbackDomain struct{…}` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Default.FallbackDomains.Get(context.TODO(), zero_trust.DevicePolicyDefaultFallbackDomainGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set your Local Domain Fallback list `client.ZeroTrust.Devices.Policies.Default.FallbackDomains.Update(ctx, params) (*SinglePage[FallbackDomain], error)` **put** `/accounts/{account_id}/devices/policy/fallback_domains` Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. ### Parameters - `params DevicePolicyDefaultFallbackDomainUpdateParams` - `AccountID param.Field[string]` Path param - `Domains param.Field[[]FallbackDomain]` Body param - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. ### Returns - `type FallbackDomain struct{…}` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Default.FallbackDomains.Update(context.TODO(), zero_trust.DevicePolicyDefaultFallbackDomainUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Domains: []zero_trust.FallbackDomainParam{zero_trust.FallbackDomainParam{ Suffix: cloudflare.F("example.com"), }}, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Certificates ## Get device certificate provisioning status `client.ZeroTrust.Devices.Policies.Default.Certificates.Get(ctx, query) (*DevicePolicyCertificates, error)` **get** `/zones/{zone_id}/devices/policy/certificates` Fetches device certificate provisioning. ### Parameters - `query DevicePolicyDefaultCertificateGetParams` - `ZoneID param.Field[string]` ### Returns - `type DevicePolicyCertificates struct{…}` - `Enabled bool` The current status of the device policy certificate provisioning feature for WARP clients. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) devicePolicyCertificates, err := client.ZeroTrust.Devices.Policies.Default.Certificates.Get(context.TODO(), zero_trust.DevicePolicyDefaultCertificateGetParams{ ZoneID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", devicePolicyCertificates.Enabled) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "enabled": true }, "success": true } ``` ## Update device certificate provisioning status `client.ZeroTrust.Devices.Policies.Default.Certificates.Edit(ctx, params) (*DevicePolicyCertificates, error)` **patch** `/zones/{zone_id}/devices/policy/certificates` Enable Zero Trust Clients to provision a certificate, containing a x509 subject, and referenced by Access device posture policies when the client visits MTLS protected domains. This facilitates device posture without a WARP session. ### Parameters - `params DevicePolicyDefaultCertificateEditParams` - `ZoneID param.Field[string]` Path param - `DevicePolicyCertificates param.Field[DevicePolicyCertificates]` Body param ### Returns - `type DevicePolicyCertificates struct{…}` - `Enabled bool` The current status of the device policy certificate provisioning feature for WARP clients. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) devicePolicyCertificates, err := client.ZeroTrust.Devices.Policies.Default.Certificates.Edit(context.TODO(), zero_trust.DevicePolicyDefaultCertificateEditParams{ ZoneID: cloudflare.F("699d98642c564d2e855e9661899b7252"), DevicePolicyCertificates: zero_trust.DevicePolicyCertificatesParam{ Enabled: cloudflare.F(true), }, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", devicePolicyCertificates.Enabled) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "enabled": true }, "success": true } ``` # Custom ## List device settings profiles `client.ZeroTrust.Devices.Policies.Custom.List(ctx, query) (*SinglePage[SettingsPolicy], error)` **get** `/accounts/{account_id}/devices/policies` Fetches a list of the device settings profiles for an account. ### Parameters - `query DevicePolicyCustomListParams` - `AccountID param.Field[string]` ### Returns - `type SettingsPolicy struct{…}` - `AllowModeSwitch bool` Whether to allow the user to switch WARP between modes. - `AllowUpdates bool` Whether to receive update notifications when a new version of the client is available. - `AllowedToLeave bool` Whether to allow devices to leave the organization. - `AutoConnect float64` The amount of time in seconds to reconnect after having been disabled. - `CaptivePortal float64` Turn on the captive portal after the specified amount of time. - `Default bool` Whether the policy is the default policy for an account. - `Description string` A description of the policy. - `DisableAutoFallback bool` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `Enabled bool` Whether the policy will be applied to matching devices. - `Exclude []SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `ExcludeOfficeIPs bool` Whether to add Microsoft IPs to Split Tunnel exclusions. - `FallbackDomains []FallbackDomain` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. - `GatewayUniqueID string` - `Include []SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `LANAllowMinutes float64` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `LANAllowSubnetSize float64` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `Match string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `Name string` The name of the device settings profile. - `PolicyID string` - `Precedence float64` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `RegisterInterfaceIPWithDNS bool` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `SccmVpnBoundarySupport bool` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `ServiceModeV2 SettingsPolicyServiceModeV2` - `Mode string` The mode to run the WARP client under. - `Port float64` The port number when used with proxy mode. - `SupportURL string` The URL to launch when the Send Feedback button is clicked. - `SwitchLocked bool` Whether to allow the user to turn off the WARP switch and disconnect the client. - `TargetTests []SettingsPolicyTargetTest` - `ID string` The id of the DEX test targeting this policy. - `Name string` The name of the DEX test targeting this policy. - `TunnelProtocol string` Determines which tunnel protocol to use. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Custom.List(context.TODO(), zero_trust.DevicePolicyCustomListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device settings profile by ID `client.ZeroTrust.Devices.Policies.Custom.Get(ctx, policyID, query) (*SettingsPolicy, error)` **get** `/accounts/{account_id}/devices/policy/{policy_id}` Fetches a device settings profile by ID. ### Parameters - `policyID string` - `query DevicePolicyCustomGetParams` - `AccountID param.Field[string]` ### Returns - `type SettingsPolicy struct{…}` - `AllowModeSwitch bool` Whether to allow the user to switch WARP between modes. - `AllowUpdates bool` Whether to receive update notifications when a new version of the client is available. - `AllowedToLeave bool` Whether to allow devices to leave the organization. - `AutoConnect float64` The amount of time in seconds to reconnect after having been disabled. - `CaptivePortal float64` Turn on the captive portal after the specified amount of time. - `Default bool` Whether the policy is the default policy for an account. - `Description string` A description of the policy. - `DisableAutoFallback bool` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `Enabled bool` Whether the policy will be applied to matching devices. - `Exclude []SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `ExcludeOfficeIPs bool` Whether to add Microsoft IPs to Split Tunnel exclusions. - `FallbackDomains []FallbackDomain` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. - `GatewayUniqueID string` - `Include []SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `LANAllowMinutes float64` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `LANAllowSubnetSize float64` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `Match string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `Name string` The name of the device settings profile. - `PolicyID string` - `Precedence float64` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `RegisterInterfaceIPWithDNS bool` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `SccmVpnBoundarySupport bool` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `ServiceModeV2 SettingsPolicyServiceModeV2` - `Mode string` The mode to run the WARP client under. - `Port float64` The port number when used with proxy mode. - `SupportURL string` The URL to launch when the Send Feedback button is clicked. - `SwitchLocked bool` Whether to allow the user to turn off the WARP switch and disconnect the client. - `TargetTests []SettingsPolicyTargetTest` - `ID string` The id of the DEX test targeting this policy. - `Name string` The name of the DEX test targeting this policy. - `TunnelProtocol string` Determines which tunnel protocol to use. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) settingsPolicy, err := client.ZeroTrust.Devices.Policies.Custom.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePolicyCustomGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", settingsPolicy.GatewayUniqueID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" }, "success": true } ``` ## Create a device settings profile `client.ZeroTrust.Devices.Policies.Custom.New(ctx, params) (*SettingsPolicy, error)` **post** `/accounts/{account_id}/devices/policy` Creates a device settings profile to be applied to certain devices matching the criteria. ### Parameters - `params DevicePolicyCustomNewParams` - `AccountID param.Field[string]` Path param - `Match param.Field[string]` Body param: The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `Name param.Field[string]` Body param: The name of the device settings profile. - `Precedence param.Field[float64]` Body param: The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `AllowModeSwitch param.Field[bool]` Body param: Whether to allow the user to switch WARP between modes. - `AllowUpdates param.Field[bool]` Body param: Whether to receive update notifications when a new version of the client is available. - `AllowedToLeave param.Field[bool]` Body param: Whether to allow devices to leave the organization. - `AutoConnect param.Field[float64]` Body param: The amount of time in seconds to reconnect after having been disabled. - `CaptivePortal param.Field[float64]` Body param: Turn on the captive portal after the specified amount of time. - `Description param.Field[string]` Body param: A description of the policy. - `DisableAutoFallback param.Field[bool]` Body param: If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `Enabled param.Field[bool]` Body param: Whether the policy will be applied to matching devices. - `Exclude param.Field[[]SplitTunnelExclude]` Body param: List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `ExcludeOfficeIPs param.Field[bool]` Body param: Whether to add Microsoft IPs to Split Tunnel exclusions. - `Include param.Field[[]SplitTunnelInclude]` Body param: List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `LANAllowMinutes param.Field[float64]` Body param: The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `LANAllowSubnetSize param.Field[float64]` Body param: The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `RegisterInterfaceIPWithDNS param.Field[bool]` Body param: Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `SccmVpnBoundarySupport param.Field[bool]` Body param: Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `ServiceModeV2 param.Field[DevicePolicyCustomNewParamsServiceModeV2]` Body param - `Mode string` The mode to run the WARP client under. - `Port float64` The port number when used with proxy mode. - `SupportURL param.Field[string]` Body param: The URL to launch when the Send Feedback button is clicked. - `SwitchLocked param.Field[bool]` Body param: Whether to allow the user to turn off the WARP switch and disconnect the client. - `TunnelProtocol param.Field[string]` Body param: Determines which tunnel protocol to use. ### Returns - `type SettingsPolicy struct{…}` - `AllowModeSwitch bool` Whether to allow the user to switch WARP between modes. - `AllowUpdates bool` Whether to receive update notifications when a new version of the client is available. - `AllowedToLeave bool` Whether to allow devices to leave the organization. - `AutoConnect float64` The amount of time in seconds to reconnect after having been disabled. - `CaptivePortal float64` Turn on the captive portal after the specified amount of time. - `Default bool` Whether the policy is the default policy for an account. - `Description string` A description of the policy. - `DisableAutoFallback bool` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `Enabled bool` Whether the policy will be applied to matching devices. - `Exclude []SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `ExcludeOfficeIPs bool` Whether to add Microsoft IPs to Split Tunnel exclusions. - `FallbackDomains []FallbackDomain` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. - `GatewayUniqueID string` - `Include []SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `LANAllowMinutes float64` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `LANAllowSubnetSize float64` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `Match string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `Name string` The name of the device settings profile. - `PolicyID string` - `Precedence float64` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `RegisterInterfaceIPWithDNS bool` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `SccmVpnBoundarySupport bool` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `ServiceModeV2 SettingsPolicyServiceModeV2` - `Mode string` The mode to run the WARP client under. - `Port float64` The port number when used with proxy mode. - `SupportURL string` The URL to launch when the Send Feedback button is clicked. - `SwitchLocked bool` Whether to allow the user to turn off the WARP switch and disconnect the client. - `TargetTests []SettingsPolicyTargetTest` - `ID string` The id of the DEX test targeting this policy. - `Name string` The name of the DEX test targeting this policy. - `TunnelProtocol string` Determines which tunnel protocol to use. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) settingsPolicy, err := client.ZeroTrust.Devices.Policies.Custom.New(context.TODO(), zero_trust.DevicePolicyCustomNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Match: cloudflare.F(`identity.email == "test@cloudflare.com"`), Name: cloudflare.F("Allow Developers"), Precedence: cloudflare.F(100.000000), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", settingsPolicy.GatewayUniqueID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" }, "success": true } ``` ## Update a device settings profile `client.ZeroTrust.Devices.Policies.Custom.Edit(ctx, policyID, params) (*SettingsPolicy, error)` **patch** `/accounts/{account_id}/devices/policy/{policy_id}` Updates a configured device settings profile. ### Parameters - `policyID string` - `params DevicePolicyCustomEditParams` - `AccountID param.Field[string]` Path param - `AllowModeSwitch param.Field[bool]` Body param: Whether to allow the user to switch WARP between modes. - `AllowUpdates param.Field[bool]` Body param: Whether to receive update notifications when a new version of the client is available. - `AllowedToLeave param.Field[bool]` Body param: Whether to allow devices to leave the organization. - `AutoConnect param.Field[float64]` Body param: The amount of time in seconds to reconnect after having been disabled. - `CaptivePortal param.Field[float64]` Body param: Turn on the captive portal after the specified amount of time. - `Description param.Field[string]` Body param: A description of the policy. - `DisableAutoFallback param.Field[bool]` Body param: If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `Enabled param.Field[bool]` Body param: Whether the policy will be applied to matching devices. - `Exclude param.Field[[]SplitTunnelExclude]` Body param: List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `ExcludeOfficeIPs param.Field[bool]` Body param: Whether to add Microsoft IPs to Split Tunnel exclusions. - `Include param.Field[[]SplitTunnelInclude]` Body param: List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `LANAllowMinutes param.Field[float64]` Body param: The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `LANAllowSubnetSize param.Field[float64]` Body param: The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `Match param.Field[string]` Body param: The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `Name param.Field[string]` Body param: The name of the device settings profile. - `Precedence param.Field[float64]` Body param: The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `RegisterInterfaceIPWithDNS param.Field[bool]` Body param: Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `SccmVpnBoundarySupport param.Field[bool]` Body param: Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `ServiceModeV2 param.Field[DevicePolicyCustomEditParamsServiceModeV2]` Body param - `Mode string` The mode to run the WARP client under. - `Port float64` The port number when used with proxy mode. - `SupportURL param.Field[string]` Body param: The URL to launch when the Send Feedback button is clicked. - `SwitchLocked param.Field[bool]` Body param: Whether to allow the user to turn off the WARP switch and disconnect the client. - `TunnelProtocol param.Field[string]` Body param: Determines which tunnel protocol to use. ### Returns - `type SettingsPolicy struct{…}` - `AllowModeSwitch bool` Whether to allow the user to switch WARP between modes. - `AllowUpdates bool` Whether to receive update notifications when a new version of the client is available. - `AllowedToLeave bool` Whether to allow devices to leave the organization. - `AutoConnect float64` The amount of time in seconds to reconnect after having been disabled. - `CaptivePortal float64` Turn on the captive portal after the specified amount of time. - `Default bool` Whether the policy is the default policy for an account. - `Description string` A description of the policy. - `DisableAutoFallback bool` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `Enabled bool` Whether the policy will be applied to matching devices. - `Exclude []SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `ExcludeOfficeIPs bool` Whether to add Microsoft IPs to Split Tunnel exclusions. - `FallbackDomains []FallbackDomain` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. - `GatewayUniqueID string` - `Include []SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `LANAllowMinutes float64` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `LANAllowSubnetSize float64` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `Match string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `Name string` The name of the device settings profile. - `PolicyID string` - `Precedence float64` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `RegisterInterfaceIPWithDNS bool` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `SccmVpnBoundarySupport bool` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `ServiceModeV2 SettingsPolicyServiceModeV2` - `Mode string` The mode to run the WARP client under. - `Port float64` The port number when used with proxy mode. - `SupportURL string` The URL to launch when the Send Feedback button is clicked. - `SwitchLocked bool` Whether to allow the user to turn off the WARP switch and disconnect the client. - `TargetTests []SettingsPolicyTargetTest` - `ID string` The id of the DEX test targeting this policy. - `Name string` The name of the DEX test targeting this policy. - `TunnelProtocol string` Determines which tunnel protocol to use. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) settingsPolicy, err := client.ZeroTrust.Devices.Policies.Custom.Edit( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePolicyCustomEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", settingsPolicy.GatewayUniqueID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" }, "success": true } ``` ## Delete a device settings profile `client.ZeroTrust.Devices.Policies.Custom.Delete(ctx, policyID, body) (*SinglePage[SettingsPolicy], error)` **delete** `/accounts/{account_id}/devices/policy/{policy_id}` Deletes a device settings profile and fetches a list of the remaining profiles for an account. ### Parameters - `policyID string` - `body DevicePolicyCustomDeleteParams` - `AccountID param.Field[string]` ### Returns - `type SettingsPolicy struct{…}` - `AllowModeSwitch bool` Whether to allow the user to switch WARP between modes. - `AllowUpdates bool` Whether to receive update notifications when a new version of the client is available. - `AllowedToLeave bool` Whether to allow devices to leave the organization. - `AutoConnect float64` The amount of time in seconds to reconnect after having been disabled. - `CaptivePortal float64` Turn on the captive portal after the specified amount of time. - `Default bool` Whether the policy is the default policy for an account. - `Description string` A description of the policy. - `DisableAutoFallback bool` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `Enabled bool` Whether the policy will be applied to matching devices. - `Exclude []SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `ExcludeOfficeIPs bool` Whether to add Microsoft IPs to Split Tunnel exclusions. - `FallbackDomains []FallbackDomain` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. - `GatewayUniqueID string` - `Include []SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `LANAllowMinutes float64` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `LANAllowSubnetSize float64` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `Match string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `Name string` The name of the device settings profile. - `PolicyID string` - `Precedence float64` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `RegisterInterfaceIPWithDNS bool` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `SccmVpnBoundarySupport bool` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `ServiceModeV2 SettingsPolicyServiceModeV2` - `Mode string` The mode to run the WARP client under. - `Port float64` The port number when used with proxy mode. - `SupportURL string` The URL to launch when the Send Feedback button is clicked. - `SwitchLocked bool` Whether to allow the user to turn off the WARP switch and disconnect the client. - `TargetTests []SettingsPolicyTargetTest` - `ID string` The id of the DEX test targeting this policy. - `Name string` The name of the DEX test targeting this policy. - `TunnelProtocol string` Determines which tunnel protocol to use. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Custom.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePolicyCustomDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Excludes ## Get the Split Tunnel exclude list for a device settings profile `client.ZeroTrust.Devices.Policies.Custom.Excludes.Get(ctx, policyID, query) (*SinglePage[SplitTunnelExclude], error)` **get** `/accounts/{account_id}/devices/policy/{policy_id}/exclude` Fetches the list of routes excluded from the WARP client's tunnel for a specific device settings profile. ### Parameters - `policyID string` - `query DevicePolicyCustomExcludeGetParams` - `AccountID param.Field[string]` ### Returns - `type SplitTunnelExclude interface{…}` - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Custom.Excludes.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePolicyCustomExcludeGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel exclude list for a device settings profile `client.ZeroTrust.Devices.Policies.Custom.Excludes.Update(ctx, policyID, params) (*SinglePage[SplitTunnelExclude], error)` **put** `/accounts/{account_id}/devices/policy/{policy_id}/exclude` Sets the list of routes excluded from the WARP client's tunnel for a specific device settings profile. ### Parameters - `policyID string` - `params DevicePolicyCustomExcludeUpdateParams` - `AccountID param.Field[string]` Path param - `Body param.Field[[]SplitTunnelExclude]` Body param - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `type SplitTunnelExclude interface{…}` - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Custom.Excludes.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePolicyCustomExcludeUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: []zero_trust.SplitTunnelExcludeUnionParam{zero_trust.SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddressParam{ Address: cloudflare.F("192.0.2.0/24"), }}, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Includes ## Get the Split Tunnel include list for a device settings profile `client.ZeroTrust.Devices.Policies.Custom.Includes.Get(ctx, policyID, query) (*SinglePage[SplitTunnelInclude], error)` **get** `/accounts/{account_id}/devices/policy/{policy_id}/include` Fetches the list of routes included in the WARP client's tunnel for a specific device settings profile. ### Parameters - `policyID string` - `query DevicePolicyCustomIncludeGetParams` - `AccountID param.Field[string]` ### Returns - `type SplitTunnelInclude interface{…}` - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Custom.Includes.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePolicyCustomIncludeGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel include list for a device settings profile `client.ZeroTrust.Devices.Policies.Custom.Includes.Update(ctx, policyID, params) (*SinglePage[SplitTunnelInclude], error)` **put** `/accounts/{account_id}/devices/policy/{policy_id}/include` Sets the list of routes included in the WARP client's tunnel for a specific device settings profile. ### Parameters - `policyID string` - `params DevicePolicyCustomIncludeUpdateParams` - `AccountID param.Field[string]` Path param - `Body param.Field[[]SplitTunnelInclude]` Body param - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `type SplitTunnelInclude interface{…}` - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}` - `Address string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. - `type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}` - `Host string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `Description string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Custom.Includes.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePolicyCustomIncludeUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: []zero_trust.SplitTunnelIncludeUnionParam{zero_trust.SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddressParam{ Address: cloudflare.F("192.0.2.0/24"), }}, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Fallback Domains ## Get the Local Domain Fallback list for a device settings profile `client.ZeroTrust.Devices.Policies.Custom.FallbackDomains.Get(ctx, policyID, query) (*SinglePage[FallbackDomain], error)` **get** `/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains` Fetches the list of domains to bypass Gateway DNS resolution from a specified device settings profile. These domains will use the specified local DNS resolver instead. ### Parameters - `policyID string` - `query DevicePolicyCustomFallbackDomainGetParams` - `AccountID param.Field[string]` ### Returns - `type FallbackDomain struct{…}` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Custom.FallbackDomains.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePolicyCustomFallbackDomainGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Local Domain Fallback list for a device settings profile `client.ZeroTrust.Devices.Policies.Custom.FallbackDomains.Update(ctx, policyID, params) (*SinglePage[FallbackDomain], error)` **put** `/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains` Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. This will only apply to the specified device settings profile. ### Parameters - `policyID string` - `params DevicePolicyCustomFallbackDomainUpdateParams` - `AccountID param.Field[string]` Path param - `Domains param.Field[[]FallbackDomain]` Body param - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. ### Returns - `type FallbackDomain struct{…}` - `Suffix string` The domain suffix to match when resolving locally. - `Description string` A description of the fallback domain, displayed in the client UI. - `DNSServer []string` A list of IP addresses to handle domain resolution. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Policies.Custom.FallbackDomains.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePolicyCustomFallbackDomainUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Domains: []zero_trust.FallbackDomainParam{zero_trust.FallbackDomainParam{ Suffix: cloudflare.F("example.com"), }}, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Posture ## List device posture rules `client.ZeroTrust.Devices.Posture.List(ctx, query) (*SinglePage[DevicePostureRule], error)` **get** `/accounts/{account_id}/devices/posture` Fetches device posture rules for a Zero Trust account. ### Parameters - `query DevicePostureListParams` - `AccountID param.Field[string]` ### Returns - `type DevicePostureRule struct{…}` - `ID string` API UUID. - `Description string` The description of the device posture rule. - `Expiration string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `Input DeviceInput` The value to be checked against. - `type FileInput struct{…}` - `OperatingSystem FileInputOperatingSystem` Operating system. - `const FileInputOperatingSystemWindows FileInputOperatingSystem = "windows"` - `const FileInputOperatingSystemLinux FileInputOperatingSystem = "linux"` - `const FileInputOperatingSystemMac FileInputOperatingSystem = "mac"` - `Path string` File path. - `Exists bool` Whether or not file exists. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type UniqueClientIDInput struct{…}` - `ID string` List ID. - `OperatingSystem UniqueClientIDInputOperatingSystem` Operating System. - `const UniqueClientIDInputOperatingSystemAndroid UniqueClientIDInputOperatingSystem = "android"` - `const UniqueClientIDInputOperatingSystemIos UniqueClientIDInputOperatingSystem = "ios"` - `const UniqueClientIDInputOperatingSystemChromeos UniqueClientIDInputOperatingSystem = "chromeos"` - `type DomainJoinedInput struct{…}` - `OperatingSystem DomainJoinedInputOperatingSystem` Operating System. - `const DomainJoinedInputOperatingSystemWindows DomainJoinedInputOperatingSystem = "windows"` - `Domain string` Domain. - `type OSVersionInput struct{…}` - `OperatingSystem OSVersionInputOperatingSystem` Operating System. - `const OSVersionInputOperatingSystemWindows OSVersionInputOperatingSystem = "windows"` - `Operator OSVersionInputOperator` Operator. - `const OSVersionInputOperatorLess OSVersionInputOperator = "<"` - `const OSVersionInputOperatorLessOrEquals OSVersionInputOperator = "<="` - `const OSVersionInputOperatorGreater OSVersionInputOperator = ">"` - `const OSVersionInputOperatorGreaterOrEquals OSVersionInputOperator = ">="` - `const OSVersionInputOperatorEquals OSVersionInputOperator = "=="` - `Version string` Version of OS. - `OSDistroName string` Operating System Distribution Name (linux only). - `OSDistroRevision string` Version of OS Distribution (linux only). - `OSVersionExtra string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `type FirewallInput struct{…}` - `Enabled bool` Enabled. - `OperatingSystem FirewallInputOperatingSystem` Operating System. - `const FirewallInputOperatingSystemWindows FirewallInputOperatingSystem = "windows"` - `const FirewallInputOperatingSystemMac FirewallInputOperatingSystem = "mac"` - `type SentineloneInput struct{…}` - `OperatingSystem SentineloneInputOperatingSystem` Operating system. - `const SentineloneInputOperatingSystemWindows SentineloneInputOperatingSystem = "windows"` - `const SentineloneInputOperatingSystemLinux SentineloneInputOperatingSystem = "linux"` - `const SentineloneInputOperatingSystemMac SentineloneInputOperatingSystem = "mac"` - `Path string` File path. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type DeviceInputTeamsDevicesCarbonblackInputRequest struct{…}` - `OperatingSystem DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemWindows DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemLinux DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemMac DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "mac"` - `Path string` File path. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type DeviceInputTeamsDevicesAccessSerialNumberListInputRequest struct{…}` - `ID string` UUID of Access List. - `type DiskEncryptionInput struct{…}` - `CheckDisks []CarbonblackInput` List of volume names to be checked for encryption. - `RequireAll bool` Whether to check all disks for encryption. - `type DeviceInputTeamsDevicesApplicationInputRequest struct{…}` - `OperatingSystem DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemWindows DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemLinux DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemMac DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "mac"` - `Path string` Path for the application. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type ClientCertificateInput struct{…}` - `CertificateID string` UUID of Cloudflare managed certificate. - `Cn string` Common Name that is protected by the certificate. - `type DeviceInputTeamsDevicesClientCertificateV2InputRequest struct{…}` - `CertificateID string` UUID of Cloudflare managed certificate. - `CheckPrivateKey bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `OperatingSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemWindows DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemLinux DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemMac DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "mac"` - `Cn string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `ExtendedKeyUsage []DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage` List of values indicating purposes for which the certificate public key can be used. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageClientAuth DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "clientAuth"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageEmailProtection DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "emailProtection"` - `Locations DeviceInputTeamsDevicesClientCertificateV2InputRequestLocations` - `Paths []string` List of paths to check for client certificate on linux. - `TrustStores []DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore` List of trust stores to check for client certificate. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "system"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreUser DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "user"` - `SubjectAlternativeNames []string` List of certificate Subject Alternative Names. - `type DeviceInputTeamsDevicesAntivirusInputRequest struct{…}` - `UpdateWindowDays float64` Number of days that the antivirus should be updated within. - `type WorkspaceOneInput struct{…}` - `ComplianceStatus WorkspaceOneInputComplianceStatus` Compliance Status. - `const WorkspaceOneInputComplianceStatusCompliant WorkspaceOneInputComplianceStatus = "compliant"` - `const WorkspaceOneInputComplianceStatusNoncompliant WorkspaceOneInputComplianceStatus = "noncompliant"` - `const WorkspaceOneInputComplianceStatusUnknown WorkspaceOneInputComplianceStatus = "unknown"` - `ConnectionID string` Posture Integration ID. - `type CrowdstrikeInput struct{…}` - `ConnectionID string` Posture Integration ID. - `LastSeen string` For more details on last seen, please refer to the Crowdstrike documentation. - `Operator CrowdstrikeInputOperator` Operator. - `const CrowdstrikeInputOperatorLess CrowdstrikeInputOperator = "<"` - `const CrowdstrikeInputOperatorLessOrEquals CrowdstrikeInputOperator = "<="` - `const CrowdstrikeInputOperatorGreater CrowdstrikeInputOperator = ">"` - `const CrowdstrikeInputOperatorGreaterOrEquals CrowdstrikeInputOperator = ">="` - `const CrowdstrikeInputOperatorEquals CrowdstrikeInputOperator = "=="` - `OS string` Os Version. - `Overall string` Overall. - `SensorConfig string` SensorConfig. - `State CrowdstrikeInputState` For more details on state, please refer to the Crowdstrike documentation. - `const CrowdstrikeInputStateOnline CrowdstrikeInputState = "online"` - `const CrowdstrikeInputStateOffline CrowdstrikeInputState = "offline"` - `const CrowdstrikeInputStateUnknown CrowdstrikeInputState = "unknown"` - `Version string` Version. - `VersionOperator CrowdstrikeInputVersionOperator` Version Operator. - `const CrowdstrikeInputVersionOperatorLess CrowdstrikeInputVersionOperator = "<"` - `const CrowdstrikeInputVersionOperatorLessOrEquals CrowdstrikeInputVersionOperator = "<="` - `const CrowdstrikeInputVersionOperatorGreater CrowdstrikeInputVersionOperator = ">"` - `const CrowdstrikeInputVersionOperatorGreaterOrEquals CrowdstrikeInputVersionOperator = ">="` - `const CrowdstrikeInputVersionOperatorEquals CrowdstrikeInputVersionOperator = "=="` - `type IntuneInput struct{…}` - `ComplianceStatus IntuneInputComplianceStatus` Compliance Status. - `const IntuneInputComplianceStatusCompliant IntuneInputComplianceStatus = "compliant"` - `const IntuneInputComplianceStatusNoncompliant IntuneInputComplianceStatus = "noncompliant"` - `const IntuneInputComplianceStatusUnknown IntuneInputComplianceStatus = "unknown"` - `const IntuneInputComplianceStatusNotapplicable IntuneInputComplianceStatus = "notapplicable"` - `const IntuneInputComplianceStatusIngraceperiod IntuneInputComplianceStatus = "ingraceperiod"` - `const IntuneInputComplianceStatusError IntuneInputComplianceStatus = "error"` - `ConnectionID string` Posture Integration ID. - `type KolideInput struct{…}` - `ConnectionID string` Posture Integration ID. - `CountOperator KolideInputCountOperator` Count Operator. - `const KolideInputCountOperatorLess KolideInputCountOperator = "<"` - `const KolideInputCountOperatorLessOrEquals KolideInputCountOperator = "<="` - `const KolideInputCountOperatorGreater KolideInputCountOperator = ">"` - `const KolideInputCountOperatorGreaterOrEquals KolideInputCountOperator = ">="` - `const KolideInputCountOperatorEquals KolideInputCountOperator = "=="` - `IssueCount string` The Number of Issues. - `type TaniumInput struct{…}` - `ConnectionID string` Posture Integration ID. - `EidLastSeen string` For more details on eid last seen, refer to the Tanium documentation. - `Operator TaniumInputOperator` Operator to evaluate risk_level or eid_last_seen. - `const TaniumInputOperatorLess TaniumInputOperator = "<"` - `const TaniumInputOperatorLessOrEquals TaniumInputOperator = "<="` - `const TaniumInputOperatorGreater TaniumInputOperator = ">"` - `const TaniumInputOperatorGreaterOrEquals TaniumInputOperator = ">="` - `const TaniumInputOperatorEquals TaniumInputOperator = "=="` - `RiskLevel TaniumInputRiskLevel` For more details on risk level, refer to the Tanium documentation. - `const TaniumInputRiskLevelLow TaniumInputRiskLevel = "low"` - `const TaniumInputRiskLevelMedium TaniumInputRiskLevel = "medium"` - `const TaniumInputRiskLevelHigh TaniumInputRiskLevel = "high"` - `const TaniumInputRiskLevelCritical TaniumInputRiskLevel = "critical"` - `ScoreOperator TaniumInputScoreOperator` Score Operator. - `const TaniumInputScoreOperatorLess TaniumInputScoreOperator = "<"` - `const TaniumInputScoreOperatorLessOrEquals TaniumInputScoreOperator = "<="` - `const TaniumInputScoreOperatorGreater TaniumInputScoreOperator = ">"` - `const TaniumInputScoreOperatorGreaterOrEquals TaniumInputScoreOperator = ">="` - `const TaniumInputScoreOperatorEquals TaniumInputScoreOperator = "=="` - `TotalScore float64` For more details on total score, refer to the Tanium documentation. - `type SentineloneS2sInput struct{…}` - `ConnectionID string` Posture Integration ID. - `ActiveThreats float64` The Number of active threats. - `Infected bool` Whether device is infected. - `IsActive bool` Whether device is active. - `NetworkStatus SentineloneS2sInputNetworkStatus` Network status of device. - `const SentineloneS2sInputNetworkStatusConnected SentineloneS2sInputNetworkStatus = "connected"` - `const SentineloneS2sInputNetworkStatusDisconnected SentineloneS2sInputNetworkStatus = "disconnected"` - `const SentineloneS2sInputNetworkStatusDisconnecting SentineloneS2sInputNetworkStatus = "disconnecting"` - `const SentineloneS2sInputNetworkStatusConnecting SentineloneS2sInputNetworkStatus = "connecting"` - `OperationalState SentineloneS2sInputOperationalState` Agent operational state. - `const SentineloneS2sInputOperationalStateNa SentineloneS2sInputOperationalState = "na"` - `const SentineloneS2sInputOperationalStatePartiallyDisabled SentineloneS2sInputOperationalState = "partially_disabled"` - `const SentineloneS2sInputOperationalStateAutoFullyDisabled SentineloneS2sInputOperationalState = "auto_fully_disabled"` - `const SentineloneS2sInputOperationalStateFullyDisabled SentineloneS2sInputOperationalState = "fully_disabled"` - `const SentineloneS2sInputOperationalStateAutoPartiallyDisabled SentineloneS2sInputOperationalState = "auto_partially_disabled"` - `const SentineloneS2sInputOperationalStateDisabledError SentineloneS2sInputOperationalState = "disabled_error"` - `const SentineloneS2sInputOperationalStateDBCorruption SentineloneS2sInputOperationalState = "db_corruption"` - `Operator SentineloneS2sInputOperator` Operator. - `const SentineloneS2sInputOperatorLess SentineloneS2sInputOperator = "<"` - `const SentineloneS2sInputOperatorLessOrEquals SentineloneS2sInputOperator = "<="` - `const SentineloneS2sInputOperatorGreater SentineloneS2sInputOperator = ">"` - `const SentineloneS2sInputOperatorGreaterOrEquals SentineloneS2sInputOperator = ">="` - `const SentineloneS2sInputOperatorEquals SentineloneS2sInputOperator = "=="` - `type DeviceInputTeamsDevicesCustomS2sInputRequest struct{…}` - `ConnectionID string` Posture Integration ID. - `Operator DeviceInputTeamsDevicesCustomS2sInputRequestOperator` Operator. - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLess DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<"` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLessOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<="` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreater DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">"` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreaterOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">="` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "=="` - `Score float64` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `Match []DeviceMatch` The conditions that the client must match to run the rule. - `Platform DeviceMatchPlatform` - `const DeviceMatchPlatformWindows DeviceMatchPlatform = "windows"` - `const DeviceMatchPlatformMac DeviceMatchPlatform = "mac"` - `const DeviceMatchPlatformLinux DeviceMatchPlatform = "linux"` - `const DeviceMatchPlatformAndroid DeviceMatchPlatform = "android"` - `const DeviceMatchPlatformIos DeviceMatchPlatform = "ios"` - `const DeviceMatchPlatformChromeos DeviceMatchPlatform = "chromeos"` - `Name string` The name of the device posture rule. - `Schedule string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `Type DevicePostureRuleType` The type of device posture rule. - `const DevicePostureRuleTypeFile DevicePostureRuleType = "file"` - `const DevicePostureRuleTypeApplication DevicePostureRuleType = "application"` - `const DevicePostureRuleTypeTanium DevicePostureRuleType = "tanium"` - `const DevicePostureRuleTypeGateway DevicePostureRuleType = "gateway"` - `const DevicePostureRuleTypeWARP DevicePostureRuleType = "warp"` - `const DevicePostureRuleTypeDiskEncryption DevicePostureRuleType = "disk_encryption"` - `const DevicePostureRuleTypeSerialNumber DevicePostureRuleType = "serial_number"` - `const DevicePostureRuleTypeSentinelone DevicePostureRuleType = "sentinelone"` - `const DevicePostureRuleTypeCarbonblack DevicePostureRuleType = "carbonblack"` - `const DevicePostureRuleTypeFirewall DevicePostureRuleType = "firewall"` - `const DevicePostureRuleTypeOSVersion DevicePostureRuleType = "os_version"` - `const DevicePostureRuleTypeDomainJoined DevicePostureRuleType = "domain_joined"` - `const DevicePostureRuleTypeClientCertificate DevicePostureRuleType = "client_certificate"` - `const DevicePostureRuleTypeClientCertificateV2 DevicePostureRuleType = "client_certificate_v2"` - `const DevicePostureRuleTypeAntivirus DevicePostureRuleType = "antivirus"` - `const DevicePostureRuleTypeUniqueClientID DevicePostureRuleType = "unique_client_id"` - `const DevicePostureRuleTypeKolide DevicePostureRuleType = "kolide"` - `const DevicePostureRuleTypeTaniumS2s DevicePostureRuleType = "tanium_s2s"` - `const DevicePostureRuleTypeCrowdstrikeS2s DevicePostureRuleType = "crowdstrike_s2s"` - `const DevicePostureRuleTypeIntune DevicePostureRuleType = "intune"` - `const DevicePostureRuleTypeWorkspaceOne DevicePostureRuleType = "workspace_one"` - `const DevicePostureRuleTypeSentineloneS2s DevicePostureRuleType = "sentinelone_s2s"` - `const DevicePostureRuleTypeCustomS2s DevicePostureRuleType = "custom_s2s"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Posture.List(context.TODO(), zero_trust.DevicePostureListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device posture rule details `client.ZeroTrust.Devices.Posture.Get(ctx, ruleID, query) (*DevicePostureRule, error)` **get** `/accounts/{account_id}/devices/posture/{rule_id}` Fetches a single device posture rule. ### Parameters - `ruleID string` API UUID. - `query DevicePostureGetParams` - `AccountID param.Field[string]` ### Returns - `type DevicePostureRule struct{…}` - `ID string` API UUID. - `Description string` The description of the device posture rule. - `Expiration string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `Input DeviceInput` The value to be checked against. - `type FileInput struct{…}` - `OperatingSystem FileInputOperatingSystem` Operating system. - `const FileInputOperatingSystemWindows FileInputOperatingSystem = "windows"` - `const FileInputOperatingSystemLinux FileInputOperatingSystem = "linux"` - `const FileInputOperatingSystemMac FileInputOperatingSystem = "mac"` - `Path string` File path. - `Exists bool` Whether or not file exists. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type UniqueClientIDInput struct{…}` - `ID string` List ID. - `OperatingSystem UniqueClientIDInputOperatingSystem` Operating System. - `const UniqueClientIDInputOperatingSystemAndroid UniqueClientIDInputOperatingSystem = "android"` - `const UniqueClientIDInputOperatingSystemIos UniqueClientIDInputOperatingSystem = "ios"` - `const UniqueClientIDInputOperatingSystemChromeos UniqueClientIDInputOperatingSystem = "chromeos"` - `type DomainJoinedInput struct{…}` - `OperatingSystem DomainJoinedInputOperatingSystem` Operating System. - `const DomainJoinedInputOperatingSystemWindows DomainJoinedInputOperatingSystem = "windows"` - `Domain string` Domain. - `type OSVersionInput struct{…}` - `OperatingSystem OSVersionInputOperatingSystem` Operating System. - `const OSVersionInputOperatingSystemWindows OSVersionInputOperatingSystem = "windows"` - `Operator OSVersionInputOperator` Operator. - `const OSVersionInputOperatorLess OSVersionInputOperator = "<"` - `const OSVersionInputOperatorLessOrEquals OSVersionInputOperator = "<="` - `const OSVersionInputOperatorGreater OSVersionInputOperator = ">"` - `const OSVersionInputOperatorGreaterOrEquals OSVersionInputOperator = ">="` - `const OSVersionInputOperatorEquals OSVersionInputOperator = "=="` - `Version string` Version of OS. - `OSDistroName string` Operating System Distribution Name (linux only). - `OSDistroRevision string` Version of OS Distribution (linux only). - `OSVersionExtra string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `type FirewallInput struct{…}` - `Enabled bool` Enabled. - `OperatingSystem FirewallInputOperatingSystem` Operating System. - `const FirewallInputOperatingSystemWindows FirewallInputOperatingSystem = "windows"` - `const FirewallInputOperatingSystemMac FirewallInputOperatingSystem = "mac"` - `type SentineloneInput struct{…}` - `OperatingSystem SentineloneInputOperatingSystem` Operating system. - `const SentineloneInputOperatingSystemWindows SentineloneInputOperatingSystem = "windows"` - `const SentineloneInputOperatingSystemLinux SentineloneInputOperatingSystem = "linux"` - `const SentineloneInputOperatingSystemMac SentineloneInputOperatingSystem = "mac"` - `Path string` File path. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type DeviceInputTeamsDevicesCarbonblackInputRequest struct{…}` - `OperatingSystem DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemWindows DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemLinux DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemMac DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "mac"` - `Path string` File path. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type DeviceInputTeamsDevicesAccessSerialNumberListInputRequest struct{…}` - `ID string` UUID of Access List. - `type DiskEncryptionInput struct{…}` - `CheckDisks []CarbonblackInput` List of volume names to be checked for encryption. - `RequireAll bool` Whether to check all disks for encryption. - `type DeviceInputTeamsDevicesApplicationInputRequest struct{…}` - `OperatingSystem DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemWindows DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemLinux DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemMac DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "mac"` - `Path string` Path for the application. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type ClientCertificateInput struct{…}` - `CertificateID string` UUID of Cloudflare managed certificate. - `Cn string` Common Name that is protected by the certificate. - `type DeviceInputTeamsDevicesClientCertificateV2InputRequest struct{…}` - `CertificateID string` UUID of Cloudflare managed certificate. - `CheckPrivateKey bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `OperatingSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemWindows DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemLinux DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemMac DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "mac"` - `Cn string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `ExtendedKeyUsage []DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage` List of values indicating purposes for which the certificate public key can be used. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageClientAuth DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "clientAuth"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageEmailProtection DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "emailProtection"` - `Locations DeviceInputTeamsDevicesClientCertificateV2InputRequestLocations` - `Paths []string` List of paths to check for client certificate on linux. - `TrustStores []DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore` List of trust stores to check for client certificate. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "system"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreUser DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "user"` - `SubjectAlternativeNames []string` List of certificate Subject Alternative Names. - `type DeviceInputTeamsDevicesAntivirusInputRequest struct{…}` - `UpdateWindowDays float64` Number of days that the antivirus should be updated within. - `type WorkspaceOneInput struct{…}` - `ComplianceStatus WorkspaceOneInputComplianceStatus` Compliance Status. - `const WorkspaceOneInputComplianceStatusCompliant WorkspaceOneInputComplianceStatus = "compliant"` - `const WorkspaceOneInputComplianceStatusNoncompliant WorkspaceOneInputComplianceStatus = "noncompliant"` - `const WorkspaceOneInputComplianceStatusUnknown WorkspaceOneInputComplianceStatus = "unknown"` - `ConnectionID string` Posture Integration ID. - `type CrowdstrikeInput struct{…}` - `ConnectionID string` Posture Integration ID. - `LastSeen string` For more details on last seen, please refer to the Crowdstrike documentation. - `Operator CrowdstrikeInputOperator` Operator. - `const CrowdstrikeInputOperatorLess CrowdstrikeInputOperator = "<"` - `const CrowdstrikeInputOperatorLessOrEquals CrowdstrikeInputOperator = "<="` - `const CrowdstrikeInputOperatorGreater CrowdstrikeInputOperator = ">"` - `const CrowdstrikeInputOperatorGreaterOrEquals CrowdstrikeInputOperator = ">="` - `const CrowdstrikeInputOperatorEquals CrowdstrikeInputOperator = "=="` - `OS string` Os Version. - `Overall string` Overall. - `SensorConfig string` SensorConfig. - `State CrowdstrikeInputState` For more details on state, please refer to the Crowdstrike documentation. - `const CrowdstrikeInputStateOnline CrowdstrikeInputState = "online"` - `const CrowdstrikeInputStateOffline CrowdstrikeInputState = "offline"` - `const CrowdstrikeInputStateUnknown CrowdstrikeInputState = "unknown"` - `Version string` Version. - `VersionOperator CrowdstrikeInputVersionOperator` Version Operator. - `const CrowdstrikeInputVersionOperatorLess CrowdstrikeInputVersionOperator = "<"` - `const CrowdstrikeInputVersionOperatorLessOrEquals CrowdstrikeInputVersionOperator = "<="` - `const CrowdstrikeInputVersionOperatorGreater CrowdstrikeInputVersionOperator = ">"` - `const CrowdstrikeInputVersionOperatorGreaterOrEquals CrowdstrikeInputVersionOperator = ">="` - `const CrowdstrikeInputVersionOperatorEquals CrowdstrikeInputVersionOperator = "=="` - `type IntuneInput struct{…}` - `ComplianceStatus IntuneInputComplianceStatus` Compliance Status. - `const IntuneInputComplianceStatusCompliant IntuneInputComplianceStatus = "compliant"` - `const IntuneInputComplianceStatusNoncompliant IntuneInputComplianceStatus = "noncompliant"` - `const IntuneInputComplianceStatusUnknown IntuneInputComplianceStatus = "unknown"` - `const IntuneInputComplianceStatusNotapplicable IntuneInputComplianceStatus = "notapplicable"` - `const IntuneInputComplianceStatusIngraceperiod IntuneInputComplianceStatus = "ingraceperiod"` - `const IntuneInputComplianceStatusError IntuneInputComplianceStatus = "error"` - `ConnectionID string` Posture Integration ID. - `type KolideInput struct{…}` - `ConnectionID string` Posture Integration ID. - `CountOperator KolideInputCountOperator` Count Operator. - `const KolideInputCountOperatorLess KolideInputCountOperator = "<"` - `const KolideInputCountOperatorLessOrEquals KolideInputCountOperator = "<="` - `const KolideInputCountOperatorGreater KolideInputCountOperator = ">"` - `const KolideInputCountOperatorGreaterOrEquals KolideInputCountOperator = ">="` - `const KolideInputCountOperatorEquals KolideInputCountOperator = "=="` - `IssueCount string` The Number of Issues. - `type TaniumInput struct{…}` - `ConnectionID string` Posture Integration ID. - `EidLastSeen string` For more details on eid last seen, refer to the Tanium documentation. - `Operator TaniumInputOperator` Operator to evaluate risk_level or eid_last_seen. - `const TaniumInputOperatorLess TaniumInputOperator = "<"` - `const TaniumInputOperatorLessOrEquals TaniumInputOperator = "<="` - `const TaniumInputOperatorGreater TaniumInputOperator = ">"` - `const TaniumInputOperatorGreaterOrEquals TaniumInputOperator = ">="` - `const TaniumInputOperatorEquals TaniumInputOperator = "=="` - `RiskLevel TaniumInputRiskLevel` For more details on risk level, refer to the Tanium documentation. - `const TaniumInputRiskLevelLow TaniumInputRiskLevel = "low"` - `const TaniumInputRiskLevelMedium TaniumInputRiskLevel = "medium"` - `const TaniumInputRiskLevelHigh TaniumInputRiskLevel = "high"` - `const TaniumInputRiskLevelCritical TaniumInputRiskLevel = "critical"` - `ScoreOperator TaniumInputScoreOperator` Score Operator. - `const TaniumInputScoreOperatorLess TaniumInputScoreOperator = "<"` - `const TaniumInputScoreOperatorLessOrEquals TaniumInputScoreOperator = "<="` - `const TaniumInputScoreOperatorGreater TaniumInputScoreOperator = ">"` - `const TaniumInputScoreOperatorGreaterOrEquals TaniumInputScoreOperator = ">="` - `const TaniumInputScoreOperatorEquals TaniumInputScoreOperator = "=="` - `TotalScore float64` For more details on total score, refer to the Tanium documentation. - `type SentineloneS2sInput struct{…}` - `ConnectionID string` Posture Integration ID. - `ActiveThreats float64` The Number of active threats. - `Infected bool` Whether device is infected. - `IsActive bool` Whether device is active. - `NetworkStatus SentineloneS2sInputNetworkStatus` Network status of device. - `const SentineloneS2sInputNetworkStatusConnected SentineloneS2sInputNetworkStatus = "connected"` - `const SentineloneS2sInputNetworkStatusDisconnected SentineloneS2sInputNetworkStatus = "disconnected"` - `const SentineloneS2sInputNetworkStatusDisconnecting SentineloneS2sInputNetworkStatus = "disconnecting"` - `const SentineloneS2sInputNetworkStatusConnecting SentineloneS2sInputNetworkStatus = "connecting"` - `OperationalState SentineloneS2sInputOperationalState` Agent operational state. - `const SentineloneS2sInputOperationalStateNa SentineloneS2sInputOperationalState = "na"` - `const SentineloneS2sInputOperationalStatePartiallyDisabled SentineloneS2sInputOperationalState = "partially_disabled"` - `const SentineloneS2sInputOperationalStateAutoFullyDisabled SentineloneS2sInputOperationalState = "auto_fully_disabled"` - `const SentineloneS2sInputOperationalStateFullyDisabled SentineloneS2sInputOperationalState = "fully_disabled"` - `const SentineloneS2sInputOperationalStateAutoPartiallyDisabled SentineloneS2sInputOperationalState = "auto_partially_disabled"` - `const SentineloneS2sInputOperationalStateDisabledError SentineloneS2sInputOperationalState = "disabled_error"` - `const SentineloneS2sInputOperationalStateDBCorruption SentineloneS2sInputOperationalState = "db_corruption"` - `Operator SentineloneS2sInputOperator` Operator. - `const SentineloneS2sInputOperatorLess SentineloneS2sInputOperator = "<"` - `const SentineloneS2sInputOperatorLessOrEquals SentineloneS2sInputOperator = "<="` - `const SentineloneS2sInputOperatorGreater SentineloneS2sInputOperator = ">"` - `const SentineloneS2sInputOperatorGreaterOrEquals SentineloneS2sInputOperator = ">="` - `const SentineloneS2sInputOperatorEquals SentineloneS2sInputOperator = "=="` - `type DeviceInputTeamsDevicesCustomS2sInputRequest struct{…}` - `ConnectionID string` Posture Integration ID. - `Operator DeviceInputTeamsDevicesCustomS2sInputRequestOperator` Operator. - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLess DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<"` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLessOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<="` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreater DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">"` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreaterOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">="` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "=="` - `Score float64` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `Match []DeviceMatch` The conditions that the client must match to run the rule. - `Platform DeviceMatchPlatform` - `const DeviceMatchPlatformWindows DeviceMatchPlatform = "windows"` - `const DeviceMatchPlatformMac DeviceMatchPlatform = "mac"` - `const DeviceMatchPlatformLinux DeviceMatchPlatform = "linux"` - `const DeviceMatchPlatformAndroid DeviceMatchPlatform = "android"` - `const DeviceMatchPlatformIos DeviceMatchPlatform = "ios"` - `const DeviceMatchPlatformChromeos DeviceMatchPlatform = "chromeos"` - `Name string` The name of the device posture rule. - `Schedule string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `Type DevicePostureRuleType` The type of device posture rule. - `const DevicePostureRuleTypeFile DevicePostureRuleType = "file"` - `const DevicePostureRuleTypeApplication DevicePostureRuleType = "application"` - `const DevicePostureRuleTypeTanium DevicePostureRuleType = "tanium"` - `const DevicePostureRuleTypeGateway DevicePostureRuleType = "gateway"` - `const DevicePostureRuleTypeWARP DevicePostureRuleType = "warp"` - `const DevicePostureRuleTypeDiskEncryption DevicePostureRuleType = "disk_encryption"` - `const DevicePostureRuleTypeSerialNumber DevicePostureRuleType = "serial_number"` - `const DevicePostureRuleTypeSentinelone DevicePostureRuleType = "sentinelone"` - `const DevicePostureRuleTypeCarbonblack DevicePostureRuleType = "carbonblack"` - `const DevicePostureRuleTypeFirewall DevicePostureRuleType = "firewall"` - `const DevicePostureRuleTypeOSVersion DevicePostureRuleType = "os_version"` - `const DevicePostureRuleTypeDomainJoined DevicePostureRuleType = "domain_joined"` - `const DevicePostureRuleTypeClientCertificate DevicePostureRuleType = "client_certificate"` - `const DevicePostureRuleTypeClientCertificateV2 DevicePostureRuleType = "client_certificate_v2"` - `const DevicePostureRuleTypeAntivirus DevicePostureRuleType = "antivirus"` - `const DevicePostureRuleTypeUniqueClientID DevicePostureRuleType = "unique_client_id"` - `const DevicePostureRuleTypeKolide DevicePostureRuleType = "kolide"` - `const DevicePostureRuleTypeTaniumS2s DevicePostureRuleType = "tanium_s2s"` - `const DevicePostureRuleTypeCrowdstrikeS2s DevicePostureRuleType = "crowdstrike_s2s"` - `const DevicePostureRuleTypeIntune DevicePostureRuleType = "intune"` - `const DevicePostureRuleTypeWorkspaceOne DevicePostureRuleType = "workspace_one"` - `const DevicePostureRuleTypeSentineloneS2s DevicePostureRuleType = "sentinelone_s2s"` - `const DevicePostureRuleTypeCustomS2s DevicePostureRuleType = "custom_s2s"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) devicePostureRule, err := client.ZeroTrust.Devices.Posture.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePostureGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", devicePostureRule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" }, "success": true } ``` ## Create a device posture rule `client.ZeroTrust.Devices.Posture.New(ctx, params) (*DevicePostureRule, error)` **post** `/accounts/{account_id}/devices/posture` Creates a new device posture rule. ### Parameters - `params DevicePostureNewParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param: The name of the device posture rule. - `Type param.Field[DevicePostureNewParamsType]` Body param: The type of device posture rule. - `const DevicePostureNewParamsTypeFile DevicePostureNewParamsType = "file"` - `const DevicePostureNewParamsTypeApplication DevicePostureNewParamsType = "application"` - `const DevicePostureNewParamsTypeTanium DevicePostureNewParamsType = "tanium"` - `const DevicePostureNewParamsTypeGateway DevicePostureNewParamsType = "gateway"` - `const DevicePostureNewParamsTypeWARP DevicePostureNewParamsType = "warp"` - `const DevicePostureNewParamsTypeDiskEncryption DevicePostureNewParamsType = "disk_encryption"` - `const DevicePostureNewParamsTypeSerialNumber DevicePostureNewParamsType = "serial_number"` - `const DevicePostureNewParamsTypeSentinelone DevicePostureNewParamsType = "sentinelone"` - `const DevicePostureNewParamsTypeCarbonblack DevicePostureNewParamsType = "carbonblack"` - `const DevicePostureNewParamsTypeFirewall DevicePostureNewParamsType = "firewall"` - `const DevicePostureNewParamsTypeOSVersion DevicePostureNewParamsType = "os_version"` - `const DevicePostureNewParamsTypeDomainJoined DevicePostureNewParamsType = "domain_joined"` - `const DevicePostureNewParamsTypeClientCertificate DevicePostureNewParamsType = "client_certificate"` - `const DevicePostureNewParamsTypeClientCertificateV2 DevicePostureNewParamsType = "client_certificate_v2"` - `const DevicePostureNewParamsTypeAntivirus DevicePostureNewParamsType = "antivirus"` - `const DevicePostureNewParamsTypeUniqueClientID DevicePostureNewParamsType = "unique_client_id"` - `const DevicePostureNewParamsTypeKolide DevicePostureNewParamsType = "kolide"` - `const DevicePostureNewParamsTypeTaniumS2s DevicePostureNewParamsType = "tanium_s2s"` - `const DevicePostureNewParamsTypeCrowdstrikeS2s DevicePostureNewParamsType = "crowdstrike_s2s"` - `const DevicePostureNewParamsTypeIntune DevicePostureNewParamsType = "intune"` - `const DevicePostureNewParamsTypeWorkspaceOne DevicePostureNewParamsType = "workspace_one"` - `const DevicePostureNewParamsTypeSentineloneS2s DevicePostureNewParamsType = "sentinelone_s2s"` - `const DevicePostureNewParamsTypeCustomS2s DevicePostureNewParamsType = "custom_s2s"` - `Description param.Field[string]` Body param: The description of the device posture rule. - `Expiration param.Field[string]` Body param: Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `Input param.Field[DeviceInput]` Body param: The value to be checked against. - `Match param.Field[[]DeviceMatch]` Body param: The conditions that the client must match to run the rule. - `Platform DeviceMatchPlatform` - `const DeviceMatchPlatformWindows DeviceMatchPlatform = "windows"` - `const DeviceMatchPlatformMac DeviceMatchPlatform = "mac"` - `const DeviceMatchPlatformLinux DeviceMatchPlatform = "linux"` - `const DeviceMatchPlatformAndroid DeviceMatchPlatform = "android"` - `const DeviceMatchPlatformIos DeviceMatchPlatform = "ios"` - `const DeviceMatchPlatformChromeos DeviceMatchPlatform = "chromeos"` - `Schedule param.Field[string]` Body param: Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. ### Returns - `type DevicePostureRule struct{…}` - `ID string` API UUID. - `Description string` The description of the device posture rule. - `Expiration string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `Input DeviceInput` The value to be checked against. - `type FileInput struct{…}` - `OperatingSystem FileInputOperatingSystem` Operating system. - `const FileInputOperatingSystemWindows FileInputOperatingSystem = "windows"` - `const FileInputOperatingSystemLinux FileInputOperatingSystem = "linux"` - `const FileInputOperatingSystemMac FileInputOperatingSystem = "mac"` - `Path string` File path. - `Exists bool` Whether or not file exists. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type UniqueClientIDInput struct{…}` - `ID string` List ID. - `OperatingSystem UniqueClientIDInputOperatingSystem` Operating System. - `const UniqueClientIDInputOperatingSystemAndroid UniqueClientIDInputOperatingSystem = "android"` - `const UniqueClientIDInputOperatingSystemIos UniqueClientIDInputOperatingSystem = "ios"` - `const UniqueClientIDInputOperatingSystemChromeos UniqueClientIDInputOperatingSystem = "chromeos"` - `type DomainJoinedInput struct{…}` - `OperatingSystem DomainJoinedInputOperatingSystem` Operating System. - `const DomainJoinedInputOperatingSystemWindows DomainJoinedInputOperatingSystem = "windows"` - `Domain string` Domain. - `type OSVersionInput struct{…}` - `OperatingSystem OSVersionInputOperatingSystem` Operating System. - `const OSVersionInputOperatingSystemWindows OSVersionInputOperatingSystem = "windows"` - `Operator OSVersionInputOperator` Operator. - `const OSVersionInputOperatorLess OSVersionInputOperator = "<"` - `const OSVersionInputOperatorLessOrEquals OSVersionInputOperator = "<="` - `const OSVersionInputOperatorGreater OSVersionInputOperator = ">"` - `const OSVersionInputOperatorGreaterOrEquals OSVersionInputOperator = ">="` - `const OSVersionInputOperatorEquals OSVersionInputOperator = "=="` - `Version string` Version of OS. - `OSDistroName string` Operating System Distribution Name (linux only). - `OSDistroRevision string` Version of OS Distribution (linux only). - `OSVersionExtra string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `type FirewallInput struct{…}` - `Enabled bool` Enabled. - `OperatingSystem FirewallInputOperatingSystem` Operating System. - `const FirewallInputOperatingSystemWindows FirewallInputOperatingSystem = "windows"` - `const FirewallInputOperatingSystemMac FirewallInputOperatingSystem = "mac"` - `type SentineloneInput struct{…}` - `OperatingSystem SentineloneInputOperatingSystem` Operating system. - `const SentineloneInputOperatingSystemWindows SentineloneInputOperatingSystem = "windows"` - `const SentineloneInputOperatingSystemLinux SentineloneInputOperatingSystem = "linux"` - `const SentineloneInputOperatingSystemMac SentineloneInputOperatingSystem = "mac"` - `Path string` File path. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type DeviceInputTeamsDevicesCarbonblackInputRequest struct{…}` - `OperatingSystem DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemWindows DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemLinux DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemMac DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "mac"` - `Path string` File path. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type DeviceInputTeamsDevicesAccessSerialNumberListInputRequest struct{…}` - `ID string` UUID of Access List. - `type DiskEncryptionInput struct{…}` - `CheckDisks []CarbonblackInput` List of volume names to be checked for encryption. - `RequireAll bool` Whether to check all disks for encryption. - `type DeviceInputTeamsDevicesApplicationInputRequest struct{…}` - `OperatingSystem DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemWindows DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemLinux DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemMac DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "mac"` - `Path string` Path for the application. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type ClientCertificateInput struct{…}` - `CertificateID string` UUID of Cloudflare managed certificate. - `Cn string` Common Name that is protected by the certificate. - `type DeviceInputTeamsDevicesClientCertificateV2InputRequest struct{…}` - `CertificateID string` UUID of Cloudflare managed certificate. - `CheckPrivateKey bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `OperatingSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemWindows DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemLinux DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemMac DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "mac"` - `Cn string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `ExtendedKeyUsage []DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage` List of values indicating purposes for which the certificate public key can be used. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageClientAuth DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "clientAuth"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageEmailProtection DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "emailProtection"` - `Locations DeviceInputTeamsDevicesClientCertificateV2InputRequestLocations` - `Paths []string` List of paths to check for client certificate on linux. - `TrustStores []DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore` List of trust stores to check for client certificate. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "system"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreUser DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "user"` - `SubjectAlternativeNames []string` List of certificate Subject Alternative Names. - `type DeviceInputTeamsDevicesAntivirusInputRequest struct{…}` - `UpdateWindowDays float64` Number of days that the antivirus should be updated within. - `type WorkspaceOneInput struct{…}` - `ComplianceStatus WorkspaceOneInputComplianceStatus` Compliance Status. - `const WorkspaceOneInputComplianceStatusCompliant WorkspaceOneInputComplianceStatus = "compliant"` - `const WorkspaceOneInputComplianceStatusNoncompliant WorkspaceOneInputComplianceStatus = "noncompliant"` - `const WorkspaceOneInputComplianceStatusUnknown WorkspaceOneInputComplianceStatus = "unknown"` - `ConnectionID string` Posture Integration ID. - `type CrowdstrikeInput struct{…}` - `ConnectionID string` Posture Integration ID. - `LastSeen string` For more details on last seen, please refer to the Crowdstrike documentation. - `Operator CrowdstrikeInputOperator` Operator. - `const CrowdstrikeInputOperatorLess CrowdstrikeInputOperator = "<"` - `const CrowdstrikeInputOperatorLessOrEquals CrowdstrikeInputOperator = "<="` - `const CrowdstrikeInputOperatorGreater CrowdstrikeInputOperator = ">"` - `const CrowdstrikeInputOperatorGreaterOrEquals CrowdstrikeInputOperator = ">="` - `const CrowdstrikeInputOperatorEquals CrowdstrikeInputOperator = "=="` - `OS string` Os Version. - `Overall string` Overall. - `SensorConfig string` SensorConfig. - `State CrowdstrikeInputState` For more details on state, please refer to the Crowdstrike documentation. - `const CrowdstrikeInputStateOnline CrowdstrikeInputState = "online"` - `const CrowdstrikeInputStateOffline CrowdstrikeInputState = "offline"` - `const CrowdstrikeInputStateUnknown CrowdstrikeInputState = "unknown"` - `Version string` Version. - `VersionOperator CrowdstrikeInputVersionOperator` Version Operator. - `const CrowdstrikeInputVersionOperatorLess CrowdstrikeInputVersionOperator = "<"` - `const CrowdstrikeInputVersionOperatorLessOrEquals CrowdstrikeInputVersionOperator = "<="` - `const CrowdstrikeInputVersionOperatorGreater CrowdstrikeInputVersionOperator = ">"` - `const CrowdstrikeInputVersionOperatorGreaterOrEquals CrowdstrikeInputVersionOperator = ">="` - `const CrowdstrikeInputVersionOperatorEquals CrowdstrikeInputVersionOperator = "=="` - `type IntuneInput struct{…}` - `ComplianceStatus IntuneInputComplianceStatus` Compliance Status. - `const IntuneInputComplianceStatusCompliant IntuneInputComplianceStatus = "compliant"` - `const IntuneInputComplianceStatusNoncompliant IntuneInputComplianceStatus = "noncompliant"` - `const IntuneInputComplianceStatusUnknown IntuneInputComplianceStatus = "unknown"` - `const IntuneInputComplianceStatusNotapplicable IntuneInputComplianceStatus = "notapplicable"` - `const IntuneInputComplianceStatusIngraceperiod IntuneInputComplianceStatus = "ingraceperiod"` - `const IntuneInputComplianceStatusError IntuneInputComplianceStatus = "error"` - `ConnectionID string` Posture Integration ID. - `type KolideInput struct{…}` - `ConnectionID string` Posture Integration ID. - `CountOperator KolideInputCountOperator` Count Operator. - `const KolideInputCountOperatorLess KolideInputCountOperator = "<"` - `const KolideInputCountOperatorLessOrEquals KolideInputCountOperator = "<="` - `const KolideInputCountOperatorGreater KolideInputCountOperator = ">"` - `const KolideInputCountOperatorGreaterOrEquals KolideInputCountOperator = ">="` - `const KolideInputCountOperatorEquals KolideInputCountOperator = "=="` - `IssueCount string` The Number of Issues. - `type TaniumInput struct{…}` - `ConnectionID string` Posture Integration ID. - `EidLastSeen string` For more details on eid last seen, refer to the Tanium documentation. - `Operator TaniumInputOperator` Operator to evaluate risk_level or eid_last_seen. - `const TaniumInputOperatorLess TaniumInputOperator = "<"` - `const TaniumInputOperatorLessOrEquals TaniumInputOperator = "<="` - `const TaniumInputOperatorGreater TaniumInputOperator = ">"` - `const TaniumInputOperatorGreaterOrEquals TaniumInputOperator = ">="` - `const TaniumInputOperatorEquals TaniumInputOperator = "=="` - `RiskLevel TaniumInputRiskLevel` For more details on risk level, refer to the Tanium documentation. - `const TaniumInputRiskLevelLow TaniumInputRiskLevel = "low"` - `const TaniumInputRiskLevelMedium TaniumInputRiskLevel = "medium"` - `const TaniumInputRiskLevelHigh TaniumInputRiskLevel = "high"` - `const TaniumInputRiskLevelCritical TaniumInputRiskLevel = "critical"` - `ScoreOperator TaniumInputScoreOperator` Score Operator. - `const TaniumInputScoreOperatorLess TaniumInputScoreOperator = "<"` - `const TaniumInputScoreOperatorLessOrEquals TaniumInputScoreOperator = "<="` - `const TaniumInputScoreOperatorGreater TaniumInputScoreOperator = ">"` - `const TaniumInputScoreOperatorGreaterOrEquals TaniumInputScoreOperator = ">="` - `const TaniumInputScoreOperatorEquals TaniumInputScoreOperator = "=="` - `TotalScore float64` For more details on total score, refer to the Tanium documentation. - `type SentineloneS2sInput struct{…}` - `ConnectionID string` Posture Integration ID. - `ActiveThreats float64` The Number of active threats. - `Infected bool` Whether device is infected. - `IsActive bool` Whether device is active. - `NetworkStatus SentineloneS2sInputNetworkStatus` Network status of device. - `const SentineloneS2sInputNetworkStatusConnected SentineloneS2sInputNetworkStatus = "connected"` - `const SentineloneS2sInputNetworkStatusDisconnected SentineloneS2sInputNetworkStatus = "disconnected"` - `const SentineloneS2sInputNetworkStatusDisconnecting SentineloneS2sInputNetworkStatus = "disconnecting"` - `const SentineloneS2sInputNetworkStatusConnecting SentineloneS2sInputNetworkStatus = "connecting"` - `OperationalState SentineloneS2sInputOperationalState` Agent operational state. - `const SentineloneS2sInputOperationalStateNa SentineloneS2sInputOperationalState = "na"` - `const SentineloneS2sInputOperationalStatePartiallyDisabled SentineloneS2sInputOperationalState = "partially_disabled"` - `const SentineloneS2sInputOperationalStateAutoFullyDisabled SentineloneS2sInputOperationalState = "auto_fully_disabled"` - `const SentineloneS2sInputOperationalStateFullyDisabled SentineloneS2sInputOperationalState = "fully_disabled"` - `const SentineloneS2sInputOperationalStateAutoPartiallyDisabled SentineloneS2sInputOperationalState = "auto_partially_disabled"` - `const SentineloneS2sInputOperationalStateDisabledError SentineloneS2sInputOperationalState = "disabled_error"` - `const SentineloneS2sInputOperationalStateDBCorruption SentineloneS2sInputOperationalState = "db_corruption"` - `Operator SentineloneS2sInputOperator` Operator. - `const SentineloneS2sInputOperatorLess SentineloneS2sInputOperator = "<"` - `const SentineloneS2sInputOperatorLessOrEquals SentineloneS2sInputOperator = "<="` - `const SentineloneS2sInputOperatorGreater SentineloneS2sInputOperator = ">"` - `const SentineloneS2sInputOperatorGreaterOrEquals SentineloneS2sInputOperator = ">="` - `const SentineloneS2sInputOperatorEquals SentineloneS2sInputOperator = "=="` - `type DeviceInputTeamsDevicesCustomS2sInputRequest struct{…}` - `ConnectionID string` Posture Integration ID. - `Operator DeviceInputTeamsDevicesCustomS2sInputRequestOperator` Operator. - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLess DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<"` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLessOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<="` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreater DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">"` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreaterOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">="` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "=="` - `Score float64` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `Match []DeviceMatch` The conditions that the client must match to run the rule. - `Platform DeviceMatchPlatform` - `const DeviceMatchPlatformWindows DeviceMatchPlatform = "windows"` - `const DeviceMatchPlatformMac DeviceMatchPlatform = "mac"` - `const DeviceMatchPlatformLinux DeviceMatchPlatform = "linux"` - `const DeviceMatchPlatformAndroid DeviceMatchPlatform = "android"` - `const DeviceMatchPlatformIos DeviceMatchPlatform = "ios"` - `const DeviceMatchPlatformChromeos DeviceMatchPlatform = "chromeos"` - `Name string` The name of the device posture rule. - `Schedule string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `Type DevicePostureRuleType` The type of device posture rule. - `const DevicePostureRuleTypeFile DevicePostureRuleType = "file"` - `const DevicePostureRuleTypeApplication DevicePostureRuleType = "application"` - `const DevicePostureRuleTypeTanium DevicePostureRuleType = "tanium"` - `const DevicePostureRuleTypeGateway DevicePostureRuleType = "gateway"` - `const DevicePostureRuleTypeWARP DevicePostureRuleType = "warp"` - `const DevicePostureRuleTypeDiskEncryption DevicePostureRuleType = "disk_encryption"` - `const DevicePostureRuleTypeSerialNumber DevicePostureRuleType = "serial_number"` - `const DevicePostureRuleTypeSentinelone DevicePostureRuleType = "sentinelone"` - `const DevicePostureRuleTypeCarbonblack DevicePostureRuleType = "carbonblack"` - `const DevicePostureRuleTypeFirewall DevicePostureRuleType = "firewall"` - `const DevicePostureRuleTypeOSVersion DevicePostureRuleType = "os_version"` - `const DevicePostureRuleTypeDomainJoined DevicePostureRuleType = "domain_joined"` - `const DevicePostureRuleTypeClientCertificate DevicePostureRuleType = "client_certificate"` - `const DevicePostureRuleTypeClientCertificateV2 DevicePostureRuleType = "client_certificate_v2"` - `const DevicePostureRuleTypeAntivirus DevicePostureRuleType = "antivirus"` - `const DevicePostureRuleTypeUniqueClientID DevicePostureRuleType = "unique_client_id"` - `const DevicePostureRuleTypeKolide DevicePostureRuleType = "kolide"` - `const DevicePostureRuleTypeTaniumS2s DevicePostureRuleType = "tanium_s2s"` - `const DevicePostureRuleTypeCrowdstrikeS2s DevicePostureRuleType = "crowdstrike_s2s"` - `const DevicePostureRuleTypeIntune DevicePostureRuleType = "intune"` - `const DevicePostureRuleTypeWorkspaceOne DevicePostureRuleType = "workspace_one"` - `const DevicePostureRuleTypeSentineloneS2s DevicePostureRuleType = "sentinelone_s2s"` - `const DevicePostureRuleTypeCustomS2s DevicePostureRuleType = "custom_s2s"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) devicePostureRule, err := client.ZeroTrust.Devices.Posture.New(context.TODO(), zero_trust.DevicePostureNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("Admin Serial Numbers"), Type: cloudflare.F(zero_trust.DevicePostureNewParamsTypeFile), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", devicePostureRule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" }, "success": true } ``` ## Update a device posture rule `client.ZeroTrust.Devices.Posture.Update(ctx, ruleID, params) (*DevicePostureRule, error)` **put** `/accounts/{account_id}/devices/posture/{rule_id}` Updates a device posture rule. ### Parameters - `ruleID string` API UUID. - `params DevicePostureUpdateParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param: The name of the device posture rule. - `Type param.Field[DevicePostureUpdateParamsType]` Body param: The type of device posture rule. - `const DevicePostureUpdateParamsTypeFile DevicePostureUpdateParamsType = "file"` - `const DevicePostureUpdateParamsTypeApplication DevicePostureUpdateParamsType = "application"` - `const DevicePostureUpdateParamsTypeTanium DevicePostureUpdateParamsType = "tanium"` - `const DevicePostureUpdateParamsTypeGateway DevicePostureUpdateParamsType = "gateway"` - `const DevicePostureUpdateParamsTypeWARP DevicePostureUpdateParamsType = "warp"` - `const DevicePostureUpdateParamsTypeDiskEncryption DevicePostureUpdateParamsType = "disk_encryption"` - `const DevicePostureUpdateParamsTypeSerialNumber DevicePostureUpdateParamsType = "serial_number"` - `const DevicePostureUpdateParamsTypeSentinelone DevicePostureUpdateParamsType = "sentinelone"` - `const DevicePostureUpdateParamsTypeCarbonblack DevicePostureUpdateParamsType = "carbonblack"` - `const DevicePostureUpdateParamsTypeFirewall DevicePostureUpdateParamsType = "firewall"` - `const DevicePostureUpdateParamsTypeOSVersion DevicePostureUpdateParamsType = "os_version"` - `const DevicePostureUpdateParamsTypeDomainJoined DevicePostureUpdateParamsType = "domain_joined"` - `const DevicePostureUpdateParamsTypeClientCertificate DevicePostureUpdateParamsType = "client_certificate"` - `const DevicePostureUpdateParamsTypeClientCertificateV2 DevicePostureUpdateParamsType = "client_certificate_v2"` - `const DevicePostureUpdateParamsTypeAntivirus DevicePostureUpdateParamsType = "antivirus"` - `const DevicePostureUpdateParamsTypeUniqueClientID DevicePostureUpdateParamsType = "unique_client_id"` - `const DevicePostureUpdateParamsTypeKolide DevicePostureUpdateParamsType = "kolide"` - `const DevicePostureUpdateParamsTypeTaniumS2s DevicePostureUpdateParamsType = "tanium_s2s"` - `const DevicePostureUpdateParamsTypeCrowdstrikeS2s DevicePostureUpdateParamsType = "crowdstrike_s2s"` - `const DevicePostureUpdateParamsTypeIntune DevicePostureUpdateParamsType = "intune"` - `const DevicePostureUpdateParamsTypeWorkspaceOne DevicePostureUpdateParamsType = "workspace_one"` - `const DevicePostureUpdateParamsTypeSentineloneS2s DevicePostureUpdateParamsType = "sentinelone_s2s"` - `const DevicePostureUpdateParamsTypeCustomS2s DevicePostureUpdateParamsType = "custom_s2s"` - `Description param.Field[string]` Body param: The description of the device posture rule. - `Expiration param.Field[string]` Body param: Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `Input param.Field[DeviceInput]` Body param: The value to be checked against. - `Match param.Field[[]DeviceMatch]` Body param: The conditions that the client must match to run the rule. - `Platform DeviceMatchPlatform` - `const DeviceMatchPlatformWindows DeviceMatchPlatform = "windows"` - `const DeviceMatchPlatformMac DeviceMatchPlatform = "mac"` - `const DeviceMatchPlatformLinux DeviceMatchPlatform = "linux"` - `const DeviceMatchPlatformAndroid DeviceMatchPlatform = "android"` - `const DeviceMatchPlatformIos DeviceMatchPlatform = "ios"` - `const DeviceMatchPlatformChromeos DeviceMatchPlatform = "chromeos"` - `Schedule param.Field[string]` Body param: Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. ### Returns - `type DevicePostureRule struct{…}` - `ID string` API UUID. - `Description string` The description of the device posture rule. - `Expiration string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `Input DeviceInput` The value to be checked against. - `type FileInput struct{…}` - `OperatingSystem FileInputOperatingSystem` Operating system. - `const FileInputOperatingSystemWindows FileInputOperatingSystem = "windows"` - `const FileInputOperatingSystemLinux FileInputOperatingSystem = "linux"` - `const FileInputOperatingSystemMac FileInputOperatingSystem = "mac"` - `Path string` File path. - `Exists bool` Whether or not file exists. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type UniqueClientIDInput struct{…}` - `ID string` List ID. - `OperatingSystem UniqueClientIDInputOperatingSystem` Operating System. - `const UniqueClientIDInputOperatingSystemAndroid UniqueClientIDInputOperatingSystem = "android"` - `const UniqueClientIDInputOperatingSystemIos UniqueClientIDInputOperatingSystem = "ios"` - `const UniqueClientIDInputOperatingSystemChromeos UniqueClientIDInputOperatingSystem = "chromeos"` - `type DomainJoinedInput struct{…}` - `OperatingSystem DomainJoinedInputOperatingSystem` Operating System. - `const DomainJoinedInputOperatingSystemWindows DomainJoinedInputOperatingSystem = "windows"` - `Domain string` Domain. - `type OSVersionInput struct{…}` - `OperatingSystem OSVersionInputOperatingSystem` Operating System. - `const OSVersionInputOperatingSystemWindows OSVersionInputOperatingSystem = "windows"` - `Operator OSVersionInputOperator` Operator. - `const OSVersionInputOperatorLess OSVersionInputOperator = "<"` - `const OSVersionInputOperatorLessOrEquals OSVersionInputOperator = "<="` - `const OSVersionInputOperatorGreater OSVersionInputOperator = ">"` - `const OSVersionInputOperatorGreaterOrEquals OSVersionInputOperator = ">="` - `const OSVersionInputOperatorEquals OSVersionInputOperator = "=="` - `Version string` Version of OS. - `OSDistroName string` Operating System Distribution Name (linux only). - `OSDistroRevision string` Version of OS Distribution (linux only). - `OSVersionExtra string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `type FirewallInput struct{…}` - `Enabled bool` Enabled. - `OperatingSystem FirewallInputOperatingSystem` Operating System. - `const FirewallInputOperatingSystemWindows FirewallInputOperatingSystem = "windows"` - `const FirewallInputOperatingSystemMac FirewallInputOperatingSystem = "mac"` - `type SentineloneInput struct{…}` - `OperatingSystem SentineloneInputOperatingSystem` Operating system. - `const SentineloneInputOperatingSystemWindows SentineloneInputOperatingSystem = "windows"` - `const SentineloneInputOperatingSystemLinux SentineloneInputOperatingSystem = "linux"` - `const SentineloneInputOperatingSystemMac SentineloneInputOperatingSystem = "mac"` - `Path string` File path. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type DeviceInputTeamsDevicesCarbonblackInputRequest struct{…}` - `OperatingSystem DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemWindows DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemLinux DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemMac DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "mac"` - `Path string` File path. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type DeviceInputTeamsDevicesAccessSerialNumberListInputRequest struct{…}` - `ID string` UUID of Access List. - `type DiskEncryptionInput struct{…}` - `CheckDisks []CarbonblackInput` List of volume names to be checked for encryption. - `RequireAll bool` Whether to check all disks for encryption. - `type DeviceInputTeamsDevicesApplicationInputRequest struct{…}` - `OperatingSystem DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemWindows DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemLinux DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemMac DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "mac"` - `Path string` Path for the application. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type ClientCertificateInput struct{…}` - `CertificateID string` UUID of Cloudflare managed certificate. - `Cn string` Common Name that is protected by the certificate. - `type DeviceInputTeamsDevicesClientCertificateV2InputRequest struct{…}` - `CertificateID string` UUID of Cloudflare managed certificate. - `CheckPrivateKey bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `OperatingSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemWindows DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemLinux DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemMac DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "mac"` - `Cn string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `ExtendedKeyUsage []DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage` List of values indicating purposes for which the certificate public key can be used. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageClientAuth DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "clientAuth"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageEmailProtection DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "emailProtection"` - `Locations DeviceInputTeamsDevicesClientCertificateV2InputRequestLocations` - `Paths []string` List of paths to check for client certificate on linux. - `TrustStores []DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore` List of trust stores to check for client certificate. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "system"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreUser DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "user"` - `SubjectAlternativeNames []string` List of certificate Subject Alternative Names. - `type DeviceInputTeamsDevicesAntivirusInputRequest struct{…}` - `UpdateWindowDays float64` Number of days that the antivirus should be updated within. - `type WorkspaceOneInput struct{…}` - `ComplianceStatus WorkspaceOneInputComplianceStatus` Compliance Status. - `const WorkspaceOneInputComplianceStatusCompliant WorkspaceOneInputComplianceStatus = "compliant"` - `const WorkspaceOneInputComplianceStatusNoncompliant WorkspaceOneInputComplianceStatus = "noncompliant"` - `const WorkspaceOneInputComplianceStatusUnknown WorkspaceOneInputComplianceStatus = "unknown"` - `ConnectionID string` Posture Integration ID. - `type CrowdstrikeInput struct{…}` - `ConnectionID string` Posture Integration ID. - `LastSeen string` For more details on last seen, please refer to the Crowdstrike documentation. - `Operator CrowdstrikeInputOperator` Operator. - `const CrowdstrikeInputOperatorLess CrowdstrikeInputOperator = "<"` - `const CrowdstrikeInputOperatorLessOrEquals CrowdstrikeInputOperator = "<="` - `const CrowdstrikeInputOperatorGreater CrowdstrikeInputOperator = ">"` - `const CrowdstrikeInputOperatorGreaterOrEquals CrowdstrikeInputOperator = ">="` - `const CrowdstrikeInputOperatorEquals CrowdstrikeInputOperator = "=="` - `OS string` Os Version. - `Overall string` Overall. - `SensorConfig string` SensorConfig. - `State CrowdstrikeInputState` For more details on state, please refer to the Crowdstrike documentation. - `const CrowdstrikeInputStateOnline CrowdstrikeInputState = "online"` - `const CrowdstrikeInputStateOffline CrowdstrikeInputState = "offline"` - `const CrowdstrikeInputStateUnknown CrowdstrikeInputState = "unknown"` - `Version string` Version. - `VersionOperator CrowdstrikeInputVersionOperator` Version Operator. - `const CrowdstrikeInputVersionOperatorLess CrowdstrikeInputVersionOperator = "<"` - `const CrowdstrikeInputVersionOperatorLessOrEquals CrowdstrikeInputVersionOperator = "<="` - `const CrowdstrikeInputVersionOperatorGreater CrowdstrikeInputVersionOperator = ">"` - `const CrowdstrikeInputVersionOperatorGreaterOrEquals CrowdstrikeInputVersionOperator = ">="` - `const CrowdstrikeInputVersionOperatorEquals CrowdstrikeInputVersionOperator = "=="` - `type IntuneInput struct{…}` - `ComplianceStatus IntuneInputComplianceStatus` Compliance Status. - `const IntuneInputComplianceStatusCompliant IntuneInputComplianceStatus = "compliant"` - `const IntuneInputComplianceStatusNoncompliant IntuneInputComplianceStatus = "noncompliant"` - `const IntuneInputComplianceStatusUnknown IntuneInputComplianceStatus = "unknown"` - `const IntuneInputComplianceStatusNotapplicable IntuneInputComplianceStatus = "notapplicable"` - `const IntuneInputComplianceStatusIngraceperiod IntuneInputComplianceStatus = "ingraceperiod"` - `const IntuneInputComplianceStatusError IntuneInputComplianceStatus = "error"` - `ConnectionID string` Posture Integration ID. - `type KolideInput struct{…}` - `ConnectionID string` Posture Integration ID. - `CountOperator KolideInputCountOperator` Count Operator. - `const KolideInputCountOperatorLess KolideInputCountOperator = "<"` - `const KolideInputCountOperatorLessOrEquals KolideInputCountOperator = "<="` - `const KolideInputCountOperatorGreater KolideInputCountOperator = ">"` - `const KolideInputCountOperatorGreaterOrEquals KolideInputCountOperator = ">="` - `const KolideInputCountOperatorEquals KolideInputCountOperator = "=="` - `IssueCount string` The Number of Issues. - `type TaniumInput struct{…}` - `ConnectionID string` Posture Integration ID. - `EidLastSeen string` For more details on eid last seen, refer to the Tanium documentation. - `Operator TaniumInputOperator` Operator to evaluate risk_level or eid_last_seen. - `const TaniumInputOperatorLess TaniumInputOperator = "<"` - `const TaniumInputOperatorLessOrEquals TaniumInputOperator = "<="` - `const TaniumInputOperatorGreater TaniumInputOperator = ">"` - `const TaniumInputOperatorGreaterOrEquals TaniumInputOperator = ">="` - `const TaniumInputOperatorEquals TaniumInputOperator = "=="` - `RiskLevel TaniumInputRiskLevel` For more details on risk level, refer to the Tanium documentation. - `const TaniumInputRiskLevelLow TaniumInputRiskLevel = "low"` - `const TaniumInputRiskLevelMedium TaniumInputRiskLevel = "medium"` - `const TaniumInputRiskLevelHigh TaniumInputRiskLevel = "high"` - `const TaniumInputRiskLevelCritical TaniumInputRiskLevel = "critical"` - `ScoreOperator TaniumInputScoreOperator` Score Operator. - `const TaniumInputScoreOperatorLess TaniumInputScoreOperator = "<"` - `const TaniumInputScoreOperatorLessOrEquals TaniumInputScoreOperator = "<="` - `const TaniumInputScoreOperatorGreater TaniumInputScoreOperator = ">"` - `const TaniumInputScoreOperatorGreaterOrEquals TaniumInputScoreOperator = ">="` - `const TaniumInputScoreOperatorEquals TaniumInputScoreOperator = "=="` - `TotalScore float64` For more details on total score, refer to the Tanium documentation. - `type SentineloneS2sInput struct{…}` - `ConnectionID string` Posture Integration ID. - `ActiveThreats float64` The Number of active threats. - `Infected bool` Whether device is infected. - `IsActive bool` Whether device is active. - `NetworkStatus SentineloneS2sInputNetworkStatus` Network status of device. - `const SentineloneS2sInputNetworkStatusConnected SentineloneS2sInputNetworkStatus = "connected"` - `const SentineloneS2sInputNetworkStatusDisconnected SentineloneS2sInputNetworkStatus = "disconnected"` - `const SentineloneS2sInputNetworkStatusDisconnecting SentineloneS2sInputNetworkStatus = "disconnecting"` - `const SentineloneS2sInputNetworkStatusConnecting SentineloneS2sInputNetworkStatus = "connecting"` - `OperationalState SentineloneS2sInputOperationalState` Agent operational state. - `const SentineloneS2sInputOperationalStateNa SentineloneS2sInputOperationalState = "na"` - `const SentineloneS2sInputOperationalStatePartiallyDisabled SentineloneS2sInputOperationalState = "partially_disabled"` - `const SentineloneS2sInputOperationalStateAutoFullyDisabled SentineloneS2sInputOperationalState = "auto_fully_disabled"` - `const SentineloneS2sInputOperationalStateFullyDisabled SentineloneS2sInputOperationalState = "fully_disabled"` - `const SentineloneS2sInputOperationalStateAutoPartiallyDisabled SentineloneS2sInputOperationalState = "auto_partially_disabled"` - `const SentineloneS2sInputOperationalStateDisabledError SentineloneS2sInputOperationalState = "disabled_error"` - `const SentineloneS2sInputOperationalStateDBCorruption SentineloneS2sInputOperationalState = "db_corruption"` - `Operator SentineloneS2sInputOperator` Operator. - `const SentineloneS2sInputOperatorLess SentineloneS2sInputOperator = "<"` - `const SentineloneS2sInputOperatorLessOrEquals SentineloneS2sInputOperator = "<="` - `const SentineloneS2sInputOperatorGreater SentineloneS2sInputOperator = ">"` - `const SentineloneS2sInputOperatorGreaterOrEquals SentineloneS2sInputOperator = ">="` - `const SentineloneS2sInputOperatorEquals SentineloneS2sInputOperator = "=="` - `type DeviceInputTeamsDevicesCustomS2sInputRequest struct{…}` - `ConnectionID string` Posture Integration ID. - `Operator DeviceInputTeamsDevicesCustomS2sInputRequestOperator` Operator. - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLess DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<"` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLessOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<="` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreater DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">"` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreaterOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">="` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "=="` - `Score float64` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `Match []DeviceMatch` The conditions that the client must match to run the rule. - `Platform DeviceMatchPlatform` - `const DeviceMatchPlatformWindows DeviceMatchPlatform = "windows"` - `const DeviceMatchPlatformMac DeviceMatchPlatform = "mac"` - `const DeviceMatchPlatformLinux DeviceMatchPlatform = "linux"` - `const DeviceMatchPlatformAndroid DeviceMatchPlatform = "android"` - `const DeviceMatchPlatformIos DeviceMatchPlatform = "ios"` - `const DeviceMatchPlatformChromeos DeviceMatchPlatform = "chromeos"` - `Name string` The name of the device posture rule. - `Schedule string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `Type DevicePostureRuleType` The type of device posture rule. - `const DevicePostureRuleTypeFile DevicePostureRuleType = "file"` - `const DevicePostureRuleTypeApplication DevicePostureRuleType = "application"` - `const DevicePostureRuleTypeTanium DevicePostureRuleType = "tanium"` - `const DevicePostureRuleTypeGateway DevicePostureRuleType = "gateway"` - `const DevicePostureRuleTypeWARP DevicePostureRuleType = "warp"` - `const DevicePostureRuleTypeDiskEncryption DevicePostureRuleType = "disk_encryption"` - `const DevicePostureRuleTypeSerialNumber DevicePostureRuleType = "serial_number"` - `const DevicePostureRuleTypeSentinelone DevicePostureRuleType = "sentinelone"` - `const DevicePostureRuleTypeCarbonblack DevicePostureRuleType = "carbonblack"` - `const DevicePostureRuleTypeFirewall DevicePostureRuleType = "firewall"` - `const DevicePostureRuleTypeOSVersion DevicePostureRuleType = "os_version"` - `const DevicePostureRuleTypeDomainJoined DevicePostureRuleType = "domain_joined"` - `const DevicePostureRuleTypeClientCertificate DevicePostureRuleType = "client_certificate"` - `const DevicePostureRuleTypeClientCertificateV2 DevicePostureRuleType = "client_certificate_v2"` - `const DevicePostureRuleTypeAntivirus DevicePostureRuleType = "antivirus"` - `const DevicePostureRuleTypeUniqueClientID DevicePostureRuleType = "unique_client_id"` - `const DevicePostureRuleTypeKolide DevicePostureRuleType = "kolide"` - `const DevicePostureRuleTypeTaniumS2s DevicePostureRuleType = "tanium_s2s"` - `const DevicePostureRuleTypeCrowdstrikeS2s DevicePostureRuleType = "crowdstrike_s2s"` - `const DevicePostureRuleTypeIntune DevicePostureRuleType = "intune"` - `const DevicePostureRuleTypeWorkspaceOne DevicePostureRuleType = "workspace_one"` - `const DevicePostureRuleTypeSentineloneS2s DevicePostureRuleType = "sentinelone_s2s"` - `const DevicePostureRuleTypeCustomS2s DevicePostureRuleType = "custom_s2s"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) devicePostureRule, err := client.ZeroTrust.Devices.Posture.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePostureUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("Admin Serial Numbers"), Type: cloudflare.F(zero_trust.DevicePostureUpdateParamsTypeFile), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", devicePostureRule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" }, "success": true } ``` ## Delete a device posture rule `client.ZeroTrust.Devices.Posture.Delete(ctx, ruleID, body) (*DevicePostureDeleteResponse, error)` **delete** `/accounts/{account_id}/devices/posture/{rule_id}` Deletes a device posture rule. ### Parameters - `ruleID string` API UUID. - `body DevicePostureDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DevicePostureDeleteResponse struct{…}` - `ID string` API UUID. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) posture, err := client.ZeroTrust.Devices.Posture.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePostureDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", posture.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Domain Types ### Carbonblack Input - `type CarbonblackInput string` ### Client Certificate Input - `type ClientCertificateInput struct{…}` - `CertificateID string` UUID of Cloudflare managed certificate. - `Cn string` Common Name that is protected by the certificate. ### Crowdstrike Input - `type CrowdstrikeInput struct{…}` - `ConnectionID string` Posture Integration ID. - `LastSeen string` For more details on last seen, please refer to the Crowdstrike documentation. - `Operator CrowdstrikeInputOperator` Operator. - `const CrowdstrikeInputOperatorLess CrowdstrikeInputOperator = "<"` - `const CrowdstrikeInputOperatorLessOrEquals CrowdstrikeInputOperator = "<="` - `const CrowdstrikeInputOperatorGreater CrowdstrikeInputOperator = ">"` - `const CrowdstrikeInputOperatorGreaterOrEquals CrowdstrikeInputOperator = ">="` - `const CrowdstrikeInputOperatorEquals CrowdstrikeInputOperator = "=="` - `OS string` Os Version. - `Overall string` Overall. - `SensorConfig string` SensorConfig. - `State CrowdstrikeInputState` For more details on state, please refer to the Crowdstrike documentation. - `const CrowdstrikeInputStateOnline CrowdstrikeInputState = "online"` - `const CrowdstrikeInputStateOffline CrowdstrikeInputState = "offline"` - `const CrowdstrikeInputStateUnknown CrowdstrikeInputState = "unknown"` - `Version string` Version. - `VersionOperator CrowdstrikeInputVersionOperator` Version Operator. - `const CrowdstrikeInputVersionOperatorLess CrowdstrikeInputVersionOperator = "<"` - `const CrowdstrikeInputVersionOperatorLessOrEquals CrowdstrikeInputVersionOperator = "<="` - `const CrowdstrikeInputVersionOperatorGreater CrowdstrikeInputVersionOperator = ">"` - `const CrowdstrikeInputVersionOperatorGreaterOrEquals CrowdstrikeInputVersionOperator = ">="` - `const CrowdstrikeInputVersionOperatorEquals CrowdstrikeInputVersionOperator = "=="` ### Device Input - `type DeviceInput interface{…}` The value to be checked against. - `type FileInput struct{…}` - `OperatingSystem FileInputOperatingSystem` Operating system. - `const FileInputOperatingSystemWindows FileInputOperatingSystem = "windows"` - `const FileInputOperatingSystemLinux FileInputOperatingSystem = "linux"` - `const FileInputOperatingSystemMac FileInputOperatingSystem = "mac"` - `Path string` File path. - `Exists bool` Whether or not file exists. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type UniqueClientIDInput struct{…}` - `ID string` List ID. - `OperatingSystem UniqueClientIDInputOperatingSystem` Operating System. - `const UniqueClientIDInputOperatingSystemAndroid UniqueClientIDInputOperatingSystem = "android"` - `const UniqueClientIDInputOperatingSystemIos UniqueClientIDInputOperatingSystem = "ios"` - `const UniqueClientIDInputOperatingSystemChromeos UniqueClientIDInputOperatingSystem = "chromeos"` - `type DomainJoinedInput struct{…}` - `OperatingSystem DomainJoinedInputOperatingSystem` Operating System. - `const DomainJoinedInputOperatingSystemWindows DomainJoinedInputOperatingSystem = "windows"` - `Domain string` Domain. - `type OSVersionInput struct{…}` - `OperatingSystem OSVersionInputOperatingSystem` Operating System. - `const OSVersionInputOperatingSystemWindows OSVersionInputOperatingSystem = "windows"` - `Operator OSVersionInputOperator` Operator. - `const OSVersionInputOperatorLess OSVersionInputOperator = "<"` - `const OSVersionInputOperatorLessOrEquals OSVersionInputOperator = "<="` - `const OSVersionInputOperatorGreater OSVersionInputOperator = ">"` - `const OSVersionInputOperatorGreaterOrEquals OSVersionInputOperator = ">="` - `const OSVersionInputOperatorEquals OSVersionInputOperator = "=="` - `Version string` Version of OS. - `OSDistroName string` Operating System Distribution Name (linux only). - `OSDistroRevision string` Version of OS Distribution (linux only). - `OSVersionExtra string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `type FirewallInput struct{…}` - `Enabled bool` Enabled. - `OperatingSystem FirewallInputOperatingSystem` Operating System. - `const FirewallInputOperatingSystemWindows FirewallInputOperatingSystem = "windows"` - `const FirewallInputOperatingSystemMac FirewallInputOperatingSystem = "mac"` - `type SentineloneInput struct{…}` - `OperatingSystem SentineloneInputOperatingSystem` Operating system. - `const SentineloneInputOperatingSystemWindows SentineloneInputOperatingSystem = "windows"` - `const SentineloneInputOperatingSystemLinux SentineloneInputOperatingSystem = "linux"` - `const SentineloneInputOperatingSystemMac SentineloneInputOperatingSystem = "mac"` - `Path string` File path. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type DeviceInputTeamsDevicesCarbonblackInputRequest struct{…}` - `OperatingSystem DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemWindows DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemLinux DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemMac DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "mac"` - `Path string` File path. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type DeviceInputTeamsDevicesAccessSerialNumberListInputRequest struct{…}` - `ID string` UUID of Access List. - `type DiskEncryptionInput struct{…}` - `CheckDisks []CarbonblackInput` List of volume names to be checked for encryption. - `RequireAll bool` Whether to check all disks for encryption. - `type DeviceInputTeamsDevicesApplicationInputRequest struct{…}` - `OperatingSystem DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemWindows DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemLinux DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemMac DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "mac"` - `Path string` Path for the application. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type ClientCertificateInput struct{…}` - `CertificateID string` UUID of Cloudflare managed certificate. - `Cn string` Common Name that is protected by the certificate. - `type DeviceInputTeamsDevicesClientCertificateV2InputRequest struct{…}` - `CertificateID string` UUID of Cloudflare managed certificate. - `CheckPrivateKey bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `OperatingSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemWindows DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemLinux DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemMac DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "mac"` - `Cn string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `ExtendedKeyUsage []DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage` List of values indicating purposes for which the certificate public key can be used. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageClientAuth DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "clientAuth"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageEmailProtection DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "emailProtection"` - `Locations DeviceInputTeamsDevicesClientCertificateV2InputRequestLocations` - `Paths []string` List of paths to check for client certificate on linux. - `TrustStores []DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore` List of trust stores to check for client certificate. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "system"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreUser DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "user"` - `SubjectAlternativeNames []string` List of certificate Subject Alternative Names. - `type DeviceInputTeamsDevicesAntivirusInputRequest struct{…}` - `UpdateWindowDays float64` Number of days that the antivirus should be updated within. - `type WorkspaceOneInput struct{…}` - `ComplianceStatus WorkspaceOneInputComplianceStatus` Compliance Status. - `const WorkspaceOneInputComplianceStatusCompliant WorkspaceOneInputComplianceStatus = "compliant"` - `const WorkspaceOneInputComplianceStatusNoncompliant WorkspaceOneInputComplianceStatus = "noncompliant"` - `const WorkspaceOneInputComplianceStatusUnknown WorkspaceOneInputComplianceStatus = "unknown"` - `ConnectionID string` Posture Integration ID. - `type CrowdstrikeInput struct{…}` - `ConnectionID string` Posture Integration ID. - `LastSeen string` For more details on last seen, please refer to the Crowdstrike documentation. - `Operator CrowdstrikeInputOperator` Operator. - `const CrowdstrikeInputOperatorLess CrowdstrikeInputOperator = "<"` - `const CrowdstrikeInputOperatorLessOrEquals CrowdstrikeInputOperator = "<="` - `const CrowdstrikeInputOperatorGreater CrowdstrikeInputOperator = ">"` - `const CrowdstrikeInputOperatorGreaterOrEquals CrowdstrikeInputOperator = ">="` - `const CrowdstrikeInputOperatorEquals CrowdstrikeInputOperator = "=="` - `OS string` Os Version. - `Overall string` Overall. - `SensorConfig string` SensorConfig. - `State CrowdstrikeInputState` For more details on state, please refer to the Crowdstrike documentation. - `const CrowdstrikeInputStateOnline CrowdstrikeInputState = "online"` - `const CrowdstrikeInputStateOffline CrowdstrikeInputState = "offline"` - `const CrowdstrikeInputStateUnknown CrowdstrikeInputState = "unknown"` - `Version string` Version. - `VersionOperator CrowdstrikeInputVersionOperator` Version Operator. - `const CrowdstrikeInputVersionOperatorLess CrowdstrikeInputVersionOperator = "<"` - `const CrowdstrikeInputVersionOperatorLessOrEquals CrowdstrikeInputVersionOperator = "<="` - `const CrowdstrikeInputVersionOperatorGreater CrowdstrikeInputVersionOperator = ">"` - `const CrowdstrikeInputVersionOperatorGreaterOrEquals CrowdstrikeInputVersionOperator = ">="` - `const CrowdstrikeInputVersionOperatorEquals CrowdstrikeInputVersionOperator = "=="` - `type IntuneInput struct{…}` - `ComplianceStatus IntuneInputComplianceStatus` Compliance Status. - `const IntuneInputComplianceStatusCompliant IntuneInputComplianceStatus = "compliant"` - `const IntuneInputComplianceStatusNoncompliant IntuneInputComplianceStatus = "noncompliant"` - `const IntuneInputComplianceStatusUnknown IntuneInputComplianceStatus = "unknown"` - `const IntuneInputComplianceStatusNotapplicable IntuneInputComplianceStatus = "notapplicable"` - `const IntuneInputComplianceStatusIngraceperiod IntuneInputComplianceStatus = "ingraceperiod"` - `const IntuneInputComplianceStatusError IntuneInputComplianceStatus = "error"` - `ConnectionID string` Posture Integration ID. - `type KolideInput struct{…}` - `ConnectionID string` Posture Integration ID. - `CountOperator KolideInputCountOperator` Count Operator. - `const KolideInputCountOperatorLess KolideInputCountOperator = "<"` - `const KolideInputCountOperatorLessOrEquals KolideInputCountOperator = "<="` - `const KolideInputCountOperatorGreater KolideInputCountOperator = ">"` - `const KolideInputCountOperatorGreaterOrEquals KolideInputCountOperator = ">="` - `const KolideInputCountOperatorEquals KolideInputCountOperator = "=="` - `IssueCount string` The Number of Issues. - `type TaniumInput struct{…}` - `ConnectionID string` Posture Integration ID. - `EidLastSeen string` For more details on eid last seen, refer to the Tanium documentation. - `Operator TaniumInputOperator` Operator to evaluate risk_level or eid_last_seen. - `const TaniumInputOperatorLess TaniumInputOperator = "<"` - `const TaniumInputOperatorLessOrEquals TaniumInputOperator = "<="` - `const TaniumInputOperatorGreater TaniumInputOperator = ">"` - `const TaniumInputOperatorGreaterOrEquals TaniumInputOperator = ">="` - `const TaniumInputOperatorEquals TaniumInputOperator = "=="` - `RiskLevel TaniumInputRiskLevel` For more details on risk level, refer to the Tanium documentation. - `const TaniumInputRiskLevelLow TaniumInputRiskLevel = "low"` - `const TaniumInputRiskLevelMedium TaniumInputRiskLevel = "medium"` - `const TaniumInputRiskLevelHigh TaniumInputRiskLevel = "high"` - `const TaniumInputRiskLevelCritical TaniumInputRiskLevel = "critical"` - `ScoreOperator TaniumInputScoreOperator` Score Operator. - `const TaniumInputScoreOperatorLess TaniumInputScoreOperator = "<"` - `const TaniumInputScoreOperatorLessOrEquals TaniumInputScoreOperator = "<="` - `const TaniumInputScoreOperatorGreater TaniumInputScoreOperator = ">"` - `const TaniumInputScoreOperatorGreaterOrEquals TaniumInputScoreOperator = ">="` - `const TaniumInputScoreOperatorEquals TaniumInputScoreOperator = "=="` - `TotalScore float64` For more details on total score, refer to the Tanium documentation. - `type SentineloneS2sInput struct{…}` - `ConnectionID string` Posture Integration ID. - `ActiveThreats float64` The Number of active threats. - `Infected bool` Whether device is infected. - `IsActive bool` Whether device is active. - `NetworkStatus SentineloneS2sInputNetworkStatus` Network status of device. - `const SentineloneS2sInputNetworkStatusConnected SentineloneS2sInputNetworkStatus = "connected"` - `const SentineloneS2sInputNetworkStatusDisconnected SentineloneS2sInputNetworkStatus = "disconnected"` - `const SentineloneS2sInputNetworkStatusDisconnecting SentineloneS2sInputNetworkStatus = "disconnecting"` - `const SentineloneS2sInputNetworkStatusConnecting SentineloneS2sInputNetworkStatus = "connecting"` - `OperationalState SentineloneS2sInputOperationalState` Agent operational state. - `const SentineloneS2sInputOperationalStateNa SentineloneS2sInputOperationalState = "na"` - `const SentineloneS2sInputOperationalStatePartiallyDisabled SentineloneS2sInputOperationalState = "partially_disabled"` - `const SentineloneS2sInputOperationalStateAutoFullyDisabled SentineloneS2sInputOperationalState = "auto_fully_disabled"` - `const SentineloneS2sInputOperationalStateFullyDisabled SentineloneS2sInputOperationalState = "fully_disabled"` - `const SentineloneS2sInputOperationalStateAutoPartiallyDisabled SentineloneS2sInputOperationalState = "auto_partially_disabled"` - `const SentineloneS2sInputOperationalStateDisabledError SentineloneS2sInputOperationalState = "disabled_error"` - `const SentineloneS2sInputOperationalStateDBCorruption SentineloneS2sInputOperationalState = "db_corruption"` - `Operator SentineloneS2sInputOperator` Operator. - `const SentineloneS2sInputOperatorLess SentineloneS2sInputOperator = "<"` - `const SentineloneS2sInputOperatorLessOrEquals SentineloneS2sInputOperator = "<="` - `const SentineloneS2sInputOperatorGreater SentineloneS2sInputOperator = ">"` - `const SentineloneS2sInputOperatorGreaterOrEquals SentineloneS2sInputOperator = ">="` - `const SentineloneS2sInputOperatorEquals SentineloneS2sInputOperator = "=="` - `type DeviceInputTeamsDevicesCustomS2sInputRequest struct{…}` - `ConnectionID string` Posture Integration ID. - `Operator DeviceInputTeamsDevicesCustomS2sInputRequestOperator` Operator. - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLess DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<"` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLessOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<="` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreater DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">"` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreaterOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">="` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "=="` - `Score float64` A value between 0-100 assigned to devices set by the 3rd party posture provider. ### Device Match - `type DeviceMatch struct{…}` - `Platform DeviceMatchPlatform` - `const DeviceMatchPlatformWindows DeviceMatchPlatform = "windows"` - `const DeviceMatchPlatformMac DeviceMatchPlatform = "mac"` - `const DeviceMatchPlatformLinux DeviceMatchPlatform = "linux"` - `const DeviceMatchPlatformAndroid DeviceMatchPlatform = "android"` - `const DeviceMatchPlatformIos DeviceMatchPlatform = "ios"` - `const DeviceMatchPlatformChromeos DeviceMatchPlatform = "chromeos"` ### Device Posture Rule - `type DevicePostureRule struct{…}` - `ID string` API UUID. - `Description string` The description of the device posture rule. - `Expiration string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `Input DeviceInput` The value to be checked against. - `type FileInput struct{…}` - `OperatingSystem FileInputOperatingSystem` Operating system. - `const FileInputOperatingSystemWindows FileInputOperatingSystem = "windows"` - `const FileInputOperatingSystemLinux FileInputOperatingSystem = "linux"` - `const FileInputOperatingSystemMac FileInputOperatingSystem = "mac"` - `Path string` File path. - `Exists bool` Whether or not file exists. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type UniqueClientIDInput struct{…}` - `ID string` List ID. - `OperatingSystem UniqueClientIDInputOperatingSystem` Operating System. - `const UniqueClientIDInputOperatingSystemAndroid UniqueClientIDInputOperatingSystem = "android"` - `const UniqueClientIDInputOperatingSystemIos UniqueClientIDInputOperatingSystem = "ios"` - `const UniqueClientIDInputOperatingSystemChromeos UniqueClientIDInputOperatingSystem = "chromeos"` - `type DomainJoinedInput struct{…}` - `OperatingSystem DomainJoinedInputOperatingSystem` Operating System. - `const DomainJoinedInputOperatingSystemWindows DomainJoinedInputOperatingSystem = "windows"` - `Domain string` Domain. - `type OSVersionInput struct{…}` - `OperatingSystem OSVersionInputOperatingSystem` Operating System. - `const OSVersionInputOperatingSystemWindows OSVersionInputOperatingSystem = "windows"` - `Operator OSVersionInputOperator` Operator. - `const OSVersionInputOperatorLess OSVersionInputOperator = "<"` - `const OSVersionInputOperatorLessOrEquals OSVersionInputOperator = "<="` - `const OSVersionInputOperatorGreater OSVersionInputOperator = ">"` - `const OSVersionInputOperatorGreaterOrEquals OSVersionInputOperator = ">="` - `const OSVersionInputOperatorEquals OSVersionInputOperator = "=="` - `Version string` Version of OS. - `OSDistroName string` Operating System Distribution Name (linux only). - `OSDistroRevision string` Version of OS Distribution (linux only). - `OSVersionExtra string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `type FirewallInput struct{…}` - `Enabled bool` Enabled. - `OperatingSystem FirewallInputOperatingSystem` Operating System. - `const FirewallInputOperatingSystemWindows FirewallInputOperatingSystem = "windows"` - `const FirewallInputOperatingSystemMac FirewallInputOperatingSystem = "mac"` - `type SentineloneInput struct{…}` - `OperatingSystem SentineloneInputOperatingSystem` Operating system. - `const SentineloneInputOperatingSystemWindows SentineloneInputOperatingSystem = "windows"` - `const SentineloneInputOperatingSystemLinux SentineloneInputOperatingSystem = "linux"` - `const SentineloneInputOperatingSystemMac SentineloneInputOperatingSystem = "mac"` - `Path string` File path. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type DeviceInputTeamsDevicesCarbonblackInputRequest struct{…}` - `OperatingSystem DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemWindows DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemLinux DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemMac DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "mac"` - `Path string` File path. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type DeviceInputTeamsDevicesAccessSerialNumberListInputRequest struct{…}` - `ID string` UUID of Access List. - `type DiskEncryptionInput struct{…}` - `CheckDisks []CarbonblackInput` List of volume names to be checked for encryption. - `RequireAll bool` Whether to check all disks for encryption. - `type DeviceInputTeamsDevicesApplicationInputRequest struct{…}` - `OperatingSystem DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemWindows DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemLinux DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemMac DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "mac"` - `Path string` Path for the application. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. - `type ClientCertificateInput struct{…}` - `CertificateID string` UUID of Cloudflare managed certificate. - `Cn string` Common Name that is protected by the certificate. - `type DeviceInputTeamsDevicesClientCertificateV2InputRequest struct{…}` - `CertificateID string` UUID of Cloudflare managed certificate. - `CheckPrivateKey bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `OperatingSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem` Operating system. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemWindows DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "windows"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemLinux DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "linux"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemMac DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "mac"` - `Cn string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `ExtendedKeyUsage []DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage` List of values indicating purposes for which the certificate public key can be used. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageClientAuth DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "clientAuth"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageEmailProtection DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "emailProtection"` - `Locations DeviceInputTeamsDevicesClientCertificateV2InputRequestLocations` - `Paths []string` List of paths to check for client certificate on linux. - `TrustStores []DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore` List of trust stores to check for client certificate. - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "system"` - `const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreUser DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "user"` - `SubjectAlternativeNames []string` List of certificate Subject Alternative Names. - `type DeviceInputTeamsDevicesAntivirusInputRequest struct{…}` - `UpdateWindowDays float64` Number of days that the antivirus should be updated within. - `type WorkspaceOneInput struct{…}` - `ComplianceStatus WorkspaceOneInputComplianceStatus` Compliance Status. - `const WorkspaceOneInputComplianceStatusCompliant WorkspaceOneInputComplianceStatus = "compliant"` - `const WorkspaceOneInputComplianceStatusNoncompliant WorkspaceOneInputComplianceStatus = "noncompliant"` - `const WorkspaceOneInputComplianceStatusUnknown WorkspaceOneInputComplianceStatus = "unknown"` - `ConnectionID string` Posture Integration ID. - `type CrowdstrikeInput struct{…}` - `ConnectionID string` Posture Integration ID. - `LastSeen string` For more details on last seen, please refer to the Crowdstrike documentation. - `Operator CrowdstrikeInputOperator` Operator. - `const CrowdstrikeInputOperatorLess CrowdstrikeInputOperator = "<"` - `const CrowdstrikeInputOperatorLessOrEquals CrowdstrikeInputOperator = "<="` - `const CrowdstrikeInputOperatorGreater CrowdstrikeInputOperator = ">"` - `const CrowdstrikeInputOperatorGreaterOrEquals CrowdstrikeInputOperator = ">="` - `const CrowdstrikeInputOperatorEquals CrowdstrikeInputOperator = "=="` - `OS string` Os Version. - `Overall string` Overall. - `SensorConfig string` SensorConfig. - `State CrowdstrikeInputState` For more details on state, please refer to the Crowdstrike documentation. - `const CrowdstrikeInputStateOnline CrowdstrikeInputState = "online"` - `const CrowdstrikeInputStateOffline CrowdstrikeInputState = "offline"` - `const CrowdstrikeInputStateUnknown CrowdstrikeInputState = "unknown"` - `Version string` Version. - `VersionOperator CrowdstrikeInputVersionOperator` Version Operator. - `const CrowdstrikeInputVersionOperatorLess CrowdstrikeInputVersionOperator = "<"` - `const CrowdstrikeInputVersionOperatorLessOrEquals CrowdstrikeInputVersionOperator = "<="` - `const CrowdstrikeInputVersionOperatorGreater CrowdstrikeInputVersionOperator = ">"` - `const CrowdstrikeInputVersionOperatorGreaterOrEquals CrowdstrikeInputVersionOperator = ">="` - `const CrowdstrikeInputVersionOperatorEquals CrowdstrikeInputVersionOperator = "=="` - `type IntuneInput struct{…}` - `ComplianceStatus IntuneInputComplianceStatus` Compliance Status. - `const IntuneInputComplianceStatusCompliant IntuneInputComplianceStatus = "compliant"` - `const IntuneInputComplianceStatusNoncompliant IntuneInputComplianceStatus = "noncompliant"` - `const IntuneInputComplianceStatusUnknown IntuneInputComplianceStatus = "unknown"` - `const IntuneInputComplianceStatusNotapplicable IntuneInputComplianceStatus = "notapplicable"` - `const IntuneInputComplianceStatusIngraceperiod IntuneInputComplianceStatus = "ingraceperiod"` - `const IntuneInputComplianceStatusError IntuneInputComplianceStatus = "error"` - `ConnectionID string` Posture Integration ID. - `type KolideInput struct{…}` - `ConnectionID string` Posture Integration ID. - `CountOperator KolideInputCountOperator` Count Operator. - `const KolideInputCountOperatorLess KolideInputCountOperator = "<"` - `const KolideInputCountOperatorLessOrEquals KolideInputCountOperator = "<="` - `const KolideInputCountOperatorGreater KolideInputCountOperator = ">"` - `const KolideInputCountOperatorGreaterOrEquals KolideInputCountOperator = ">="` - `const KolideInputCountOperatorEquals KolideInputCountOperator = "=="` - `IssueCount string` The Number of Issues. - `type TaniumInput struct{…}` - `ConnectionID string` Posture Integration ID. - `EidLastSeen string` For more details on eid last seen, refer to the Tanium documentation. - `Operator TaniumInputOperator` Operator to evaluate risk_level or eid_last_seen. - `const TaniumInputOperatorLess TaniumInputOperator = "<"` - `const TaniumInputOperatorLessOrEquals TaniumInputOperator = "<="` - `const TaniumInputOperatorGreater TaniumInputOperator = ">"` - `const TaniumInputOperatorGreaterOrEquals TaniumInputOperator = ">="` - `const TaniumInputOperatorEquals TaniumInputOperator = "=="` - `RiskLevel TaniumInputRiskLevel` For more details on risk level, refer to the Tanium documentation. - `const TaniumInputRiskLevelLow TaniumInputRiskLevel = "low"` - `const TaniumInputRiskLevelMedium TaniumInputRiskLevel = "medium"` - `const TaniumInputRiskLevelHigh TaniumInputRiskLevel = "high"` - `const TaniumInputRiskLevelCritical TaniumInputRiskLevel = "critical"` - `ScoreOperator TaniumInputScoreOperator` Score Operator. - `const TaniumInputScoreOperatorLess TaniumInputScoreOperator = "<"` - `const TaniumInputScoreOperatorLessOrEquals TaniumInputScoreOperator = "<="` - `const TaniumInputScoreOperatorGreater TaniumInputScoreOperator = ">"` - `const TaniumInputScoreOperatorGreaterOrEquals TaniumInputScoreOperator = ">="` - `const TaniumInputScoreOperatorEquals TaniumInputScoreOperator = "=="` - `TotalScore float64` For more details on total score, refer to the Tanium documentation. - `type SentineloneS2sInput struct{…}` - `ConnectionID string` Posture Integration ID. - `ActiveThreats float64` The Number of active threats. - `Infected bool` Whether device is infected. - `IsActive bool` Whether device is active. - `NetworkStatus SentineloneS2sInputNetworkStatus` Network status of device. - `const SentineloneS2sInputNetworkStatusConnected SentineloneS2sInputNetworkStatus = "connected"` - `const SentineloneS2sInputNetworkStatusDisconnected SentineloneS2sInputNetworkStatus = "disconnected"` - `const SentineloneS2sInputNetworkStatusDisconnecting SentineloneS2sInputNetworkStatus = "disconnecting"` - `const SentineloneS2sInputNetworkStatusConnecting SentineloneS2sInputNetworkStatus = "connecting"` - `OperationalState SentineloneS2sInputOperationalState` Agent operational state. - `const SentineloneS2sInputOperationalStateNa SentineloneS2sInputOperationalState = "na"` - `const SentineloneS2sInputOperationalStatePartiallyDisabled SentineloneS2sInputOperationalState = "partially_disabled"` - `const SentineloneS2sInputOperationalStateAutoFullyDisabled SentineloneS2sInputOperationalState = "auto_fully_disabled"` - `const SentineloneS2sInputOperationalStateFullyDisabled SentineloneS2sInputOperationalState = "fully_disabled"` - `const SentineloneS2sInputOperationalStateAutoPartiallyDisabled SentineloneS2sInputOperationalState = "auto_partially_disabled"` - `const SentineloneS2sInputOperationalStateDisabledError SentineloneS2sInputOperationalState = "disabled_error"` - `const SentineloneS2sInputOperationalStateDBCorruption SentineloneS2sInputOperationalState = "db_corruption"` - `Operator SentineloneS2sInputOperator` Operator. - `const SentineloneS2sInputOperatorLess SentineloneS2sInputOperator = "<"` - `const SentineloneS2sInputOperatorLessOrEquals SentineloneS2sInputOperator = "<="` - `const SentineloneS2sInputOperatorGreater SentineloneS2sInputOperator = ">"` - `const SentineloneS2sInputOperatorGreaterOrEquals SentineloneS2sInputOperator = ">="` - `const SentineloneS2sInputOperatorEquals SentineloneS2sInputOperator = "=="` - `type DeviceInputTeamsDevicesCustomS2sInputRequest struct{…}` - `ConnectionID string` Posture Integration ID. - `Operator DeviceInputTeamsDevicesCustomS2sInputRequestOperator` Operator. - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLess DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<"` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLessOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<="` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreater DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">"` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreaterOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">="` - `const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "=="` - `Score float64` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `Match []DeviceMatch` The conditions that the client must match to run the rule. - `Platform DeviceMatchPlatform` - `const DeviceMatchPlatformWindows DeviceMatchPlatform = "windows"` - `const DeviceMatchPlatformMac DeviceMatchPlatform = "mac"` - `const DeviceMatchPlatformLinux DeviceMatchPlatform = "linux"` - `const DeviceMatchPlatformAndroid DeviceMatchPlatform = "android"` - `const DeviceMatchPlatformIos DeviceMatchPlatform = "ios"` - `const DeviceMatchPlatformChromeos DeviceMatchPlatform = "chromeos"` - `Name string` The name of the device posture rule. - `Schedule string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `Type DevicePostureRuleType` The type of device posture rule. - `const DevicePostureRuleTypeFile DevicePostureRuleType = "file"` - `const DevicePostureRuleTypeApplication DevicePostureRuleType = "application"` - `const DevicePostureRuleTypeTanium DevicePostureRuleType = "tanium"` - `const DevicePostureRuleTypeGateway DevicePostureRuleType = "gateway"` - `const DevicePostureRuleTypeWARP DevicePostureRuleType = "warp"` - `const DevicePostureRuleTypeDiskEncryption DevicePostureRuleType = "disk_encryption"` - `const DevicePostureRuleTypeSerialNumber DevicePostureRuleType = "serial_number"` - `const DevicePostureRuleTypeSentinelone DevicePostureRuleType = "sentinelone"` - `const DevicePostureRuleTypeCarbonblack DevicePostureRuleType = "carbonblack"` - `const DevicePostureRuleTypeFirewall DevicePostureRuleType = "firewall"` - `const DevicePostureRuleTypeOSVersion DevicePostureRuleType = "os_version"` - `const DevicePostureRuleTypeDomainJoined DevicePostureRuleType = "domain_joined"` - `const DevicePostureRuleTypeClientCertificate DevicePostureRuleType = "client_certificate"` - `const DevicePostureRuleTypeClientCertificateV2 DevicePostureRuleType = "client_certificate_v2"` - `const DevicePostureRuleTypeAntivirus DevicePostureRuleType = "antivirus"` - `const DevicePostureRuleTypeUniqueClientID DevicePostureRuleType = "unique_client_id"` - `const DevicePostureRuleTypeKolide DevicePostureRuleType = "kolide"` - `const DevicePostureRuleTypeTaniumS2s DevicePostureRuleType = "tanium_s2s"` - `const DevicePostureRuleTypeCrowdstrikeS2s DevicePostureRuleType = "crowdstrike_s2s"` - `const DevicePostureRuleTypeIntune DevicePostureRuleType = "intune"` - `const DevicePostureRuleTypeWorkspaceOne DevicePostureRuleType = "workspace_one"` - `const DevicePostureRuleTypeSentineloneS2s DevicePostureRuleType = "sentinelone_s2s"` - `const DevicePostureRuleTypeCustomS2s DevicePostureRuleType = "custom_s2s"` ### Disk Encryption Input - `type DiskEncryptionInput struct{…}` - `CheckDisks []CarbonblackInput` List of volume names to be checked for encryption. - `RequireAll bool` Whether to check all disks for encryption. ### Domain Joined Input - `type DomainJoinedInput struct{…}` - `OperatingSystem DomainJoinedInputOperatingSystem` Operating System. - `const DomainJoinedInputOperatingSystemWindows DomainJoinedInputOperatingSystem = "windows"` - `Domain string` Domain. ### File Input - `type FileInput struct{…}` - `OperatingSystem FileInputOperatingSystem` Operating system. - `const FileInputOperatingSystemWindows FileInputOperatingSystem = "windows"` - `const FileInputOperatingSystemLinux FileInputOperatingSystem = "linux"` - `const FileInputOperatingSystemMac FileInputOperatingSystem = "mac"` - `Path string` File path. - `Exists bool` Whether or not file exists. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. ### Firewall Input - `type FirewallInput struct{…}` - `Enabled bool` Enabled. - `OperatingSystem FirewallInputOperatingSystem` Operating System. - `const FirewallInputOperatingSystemWindows FirewallInputOperatingSystem = "windows"` - `const FirewallInputOperatingSystemMac FirewallInputOperatingSystem = "mac"` ### Intune Input - `type IntuneInput struct{…}` - `ComplianceStatus IntuneInputComplianceStatus` Compliance Status. - `const IntuneInputComplianceStatusCompliant IntuneInputComplianceStatus = "compliant"` - `const IntuneInputComplianceStatusNoncompliant IntuneInputComplianceStatus = "noncompliant"` - `const IntuneInputComplianceStatusUnknown IntuneInputComplianceStatus = "unknown"` - `const IntuneInputComplianceStatusNotapplicable IntuneInputComplianceStatus = "notapplicable"` - `const IntuneInputComplianceStatusIngraceperiod IntuneInputComplianceStatus = "ingraceperiod"` - `const IntuneInputComplianceStatusError IntuneInputComplianceStatus = "error"` - `ConnectionID string` Posture Integration ID. ### Kolide Input - `type KolideInput struct{…}` - `ConnectionID string` Posture Integration ID. - `CountOperator KolideInputCountOperator` Count Operator. - `const KolideInputCountOperatorLess KolideInputCountOperator = "<"` - `const KolideInputCountOperatorLessOrEquals KolideInputCountOperator = "<="` - `const KolideInputCountOperatorGreater KolideInputCountOperator = ">"` - `const KolideInputCountOperatorGreaterOrEquals KolideInputCountOperator = ">="` - `const KolideInputCountOperatorEquals KolideInputCountOperator = "=="` - `IssueCount string` The Number of Issues. ### OS Version Input - `type OSVersionInput struct{…}` - `OperatingSystem OSVersionInputOperatingSystem` Operating System. - `const OSVersionInputOperatingSystemWindows OSVersionInputOperatingSystem = "windows"` - `Operator OSVersionInputOperator` Operator. - `const OSVersionInputOperatorLess OSVersionInputOperator = "<"` - `const OSVersionInputOperatorLessOrEquals OSVersionInputOperator = "<="` - `const OSVersionInputOperatorGreater OSVersionInputOperator = ">"` - `const OSVersionInputOperatorGreaterOrEquals OSVersionInputOperator = ">="` - `const OSVersionInputOperatorEquals OSVersionInputOperator = "=="` - `Version string` Version of OS. - `OSDistroName string` Operating System Distribution Name (linux only). - `OSDistroRevision string` Version of OS Distribution (linux only). - `OSVersionExtra string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. ### Sentinelone Input - `type SentineloneInput struct{…}` - `OperatingSystem SentineloneInputOperatingSystem` Operating system. - `const SentineloneInputOperatingSystemWindows SentineloneInputOperatingSystem = "windows"` - `const SentineloneInputOperatingSystemLinux SentineloneInputOperatingSystem = "linux"` - `const SentineloneInputOperatingSystemMac SentineloneInputOperatingSystem = "mac"` - `Path string` File path. - `Sha256 string` SHA-256. - `Thumbprint string` Signing certificate thumbprint. ### Sentinelone S2s Input - `type SentineloneS2sInput struct{…}` - `ConnectionID string` Posture Integration ID. - `ActiveThreats float64` The Number of active threats. - `Infected bool` Whether device is infected. - `IsActive bool` Whether device is active. - `NetworkStatus SentineloneS2sInputNetworkStatus` Network status of device. - `const SentineloneS2sInputNetworkStatusConnected SentineloneS2sInputNetworkStatus = "connected"` - `const SentineloneS2sInputNetworkStatusDisconnected SentineloneS2sInputNetworkStatus = "disconnected"` - `const SentineloneS2sInputNetworkStatusDisconnecting SentineloneS2sInputNetworkStatus = "disconnecting"` - `const SentineloneS2sInputNetworkStatusConnecting SentineloneS2sInputNetworkStatus = "connecting"` - `OperationalState SentineloneS2sInputOperationalState` Agent operational state. - `const SentineloneS2sInputOperationalStateNa SentineloneS2sInputOperationalState = "na"` - `const SentineloneS2sInputOperationalStatePartiallyDisabled SentineloneS2sInputOperationalState = "partially_disabled"` - `const SentineloneS2sInputOperationalStateAutoFullyDisabled SentineloneS2sInputOperationalState = "auto_fully_disabled"` - `const SentineloneS2sInputOperationalStateFullyDisabled SentineloneS2sInputOperationalState = "fully_disabled"` - `const SentineloneS2sInputOperationalStateAutoPartiallyDisabled SentineloneS2sInputOperationalState = "auto_partially_disabled"` - `const SentineloneS2sInputOperationalStateDisabledError SentineloneS2sInputOperationalState = "disabled_error"` - `const SentineloneS2sInputOperationalStateDBCorruption SentineloneS2sInputOperationalState = "db_corruption"` - `Operator SentineloneS2sInputOperator` Operator. - `const SentineloneS2sInputOperatorLess SentineloneS2sInputOperator = "<"` - `const SentineloneS2sInputOperatorLessOrEquals SentineloneS2sInputOperator = "<="` - `const SentineloneS2sInputOperatorGreater SentineloneS2sInputOperator = ">"` - `const SentineloneS2sInputOperatorGreaterOrEquals SentineloneS2sInputOperator = ">="` - `const SentineloneS2sInputOperatorEquals SentineloneS2sInputOperator = "=="` ### Tanium Input - `type TaniumInput struct{…}` - `ConnectionID string` Posture Integration ID. - `EidLastSeen string` For more details on eid last seen, refer to the Tanium documentation. - `Operator TaniumInputOperator` Operator to evaluate risk_level or eid_last_seen. - `const TaniumInputOperatorLess TaniumInputOperator = "<"` - `const TaniumInputOperatorLessOrEquals TaniumInputOperator = "<="` - `const TaniumInputOperatorGreater TaniumInputOperator = ">"` - `const TaniumInputOperatorGreaterOrEquals TaniumInputOperator = ">="` - `const TaniumInputOperatorEquals TaniumInputOperator = "=="` - `RiskLevel TaniumInputRiskLevel` For more details on risk level, refer to the Tanium documentation. - `const TaniumInputRiskLevelLow TaniumInputRiskLevel = "low"` - `const TaniumInputRiskLevelMedium TaniumInputRiskLevel = "medium"` - `const TaniumInputRiskLevelHigh TaniumInputRiskLevel = "high"` - `const TaniumInputRiskLevelCritical TaniumInputRiskLevel = "critical"` - `ScoreOperator TaniumInputScoreOperator` Score Operator. - `const TaniumInputScoreOperatorLess TaniumInputScoreOperator = "<"` - `const TaniumInputScoreOperatorLessOrEquals TaniumInputScoreOperator = "<="` - `const TaniumInputScoreOperatorGreater TaniumInputScoreOperator = ">"` - `const TaniumInputScoreOperatorGreaterOrEquals TaniumInputScoreOperator = ">="` - `const TaniumInputScoreOperatorEquals TaniumInputScoreOperator = "=="` - `TotalScore float64` For more details on total score, refer to the Tanium documentation. ### Unique Client ID Input - `type UniqueClientIDInput struct{…}` - `ID string` List ID. - `OperatingSystem UniqueClientIDInputOperatingSystem` Operating System. - `const UniqueClientIDInputOperatingSystemAndroid UniqueClientIDInputOperatingSystem = "android"` - `const UniqueClientIDInputOperatingSystemIos UniqueClientIDInputOperatingSystem = "ios"` - `const UniqueClientIDInputOperatingSystemChromeos UniqueClientIDInputOperatingSystem = "chromeos"` ### Workspace One Input - `type WorkspaceOneInput struct{…}` - `ComplianceStatus WorkspaceOneInputComplianceStatus` Compliance Status. - `const WorkspaceOneInputComplianceStatusCompliant WorkspaceOneInputComplianceStatus = "compliant"` - `const WorkspaceOneInputComplianceStatusNoncompliant WorkspaceOneInputComplianceStatus = "noncompliant"` - `const WorkspaceOneInputComplianceStatusUnknown WorkspaceOneInputComplianceStatus = "unknown"` - `ConnectionID string` Posture Integration ID. # Integrations ## List your device posture integrations `client.ZeroTrust.Devices.Posture.Integrations.List(ctx, query) (*SinglePage[Integration], error)` **get** `/accounts/{account_id}/devices/posture/integration` Fetches the list of device posture integrations for an account. ### Parameters - `query DevicePostureIntegrationListParams` - `AccountID param.Field[string]` ### Returns - `type Integration struct{…}` - `ID string` API UUID. - `Config IntegrationConfig` The configuration object containing third-party integration information. - `APIURL string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `AuthURL string` The Workspace One Authorization URL depending on your region. - `ClientID string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `Interval string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `Name string` The name of the device posture integration. - `Type IntegrationType` The type of device posture integration. - `const IntegrationTypeWorkspaceOne IntegrationType = "workspace_one"` - `const IntegrationTypeCrowdstrikeS2s IntegrationType = "crowdstrike_s2s"` - `const IntegrationTypeUptycs IntegrationType = "uptycs"` - `const IntegrationTypeIntune IntegrationType = "intune"` - `const IntegrationTypeKolide IntegrationType = "kolide"` - `const IntegrationTypeTaniumS2s IntegrationType = "tanium_s2s"` - `const IntegrationTypeSentineloneS2s IntegrationType = "sentinelone_s2s"` - `const IntegrationTypeCustomS2s IntegrationType = "custom_s2s"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.Posture.Integrations.List(context.TODO(), zero_trust.DevicePostureIntegrationListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device posture integration details `client.ZeroTrust.Devices.Posture.Integrations.Get(ctx, integrationID, query) (*Integration, error)` **get** `/accounts/{account_id}/devices/posture/integration/{integration_id}` Fetches details for a single device posture integration. ### Parameters - `integrationID string` API UUID. - `query DevicePostureIntegrationGetParams` - `AccountID param.Field[string]` ### Returns - `type Integration struct{…}` - `ID string` API UUID. - `Config IntegrationConfig` The configuration object containing third-party integration information. - `APIURL string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `AuthURL string` The Workspace One Authorization URL depending on your region. - `ClientID string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `Interval string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `Name string` The name of the device posture integration. - `Type IntegrationType` The type of device posture integration. - `const IntegrationTypeWorkspaceOne IntegrationType = "workspace_one"` - `const IntegrationTypeCrowdstrikeS2s IntegrationType = "crowdstrike_s2s"` - `const IntegrationTypeUptycs IntegrationType = "uptycs"` - `const IntegrationTypeIntune IntegrationType = "intune"` - `const IntegrationTypeKolide IntegrationType = "kolide"` - `const IntegrationTypeTaniumS2s IntegrationType = "tanium_s2s"` - `const IntegrationTypeSentineloneS2s IntegrationType = "sentinelone_s2s"` - `const IntegrationTypeCustomS2s IntegrationType = "custom_s2s"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) integration, err := client.ZeroTrust.Devices.Posture.Integrations.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePostureIntegrationGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", integration.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }, "success": true } ``` ## Create a device posture integration `client.ZeroTrust.Devices.Posture.Integrations.New(ctx, params) (*Integration, error)` **post** `/accounts/{account_id}/devices/posture/integration` Create a new device posture integration. ### Parameters - `params DevicePostureIntegrationNewParams` - `AccountID param.Field[string]` Path param - `Config param.Field[DevicePostureIntegrationNewParamsConfig]` Body param: The configuration object containing third-party integration information. - `type DevicePostureIntegrationNewParamsConfigTeamsDevicesWorkspaceOneConfigRequest struct{…}` - `APIURL string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `AuthURL string` The Workspace One Authorization URL depending on your region. - `ClientID string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `ClientSecret string` The Workspace One client secret provided in the Workspace One Admin Dashboard. - `type DevicePostureIntegrationNewParamsConfigTeamsDevicesCrowdstrikeConfigRequest struct{…}` - `APIURL string` The Crowdstrike API URL. - `ClientID string` The Crowdstrike client ID. - `ClientSecret string` The Crowdstrike client secret. - `CustomerID string` The Crowdstrike customer ID. - `type DevicePostureIntegrationNewParamsConfigTeamsDevicesUptycsConfigRequest struct{…}` - `APIURL string` The Uptycs API URL. - `ClientKey string` The Uptycs client secret. - `ClientSecret string` The Uptycs client secret. - `CustomerID string` The Uptycs customer ID. - `type DevicePostureIntegrationNewParamsConfigTeamsDevicesIntuneConfigRequest struct{…}` - `ClientID string` The Intune client ID. - `ClientSecret string` The Intune client secret. - `CustomerID string` The Intune customer ID. - `type DevicePostureIntegrationNewParamsConfigTeamsDevicesKolideConfigRequest struct{…}` - `ClientID string` The Kolide client ID. - `ClientSecret string` The Kolide client secret. - `type DevicePostureIntegrationNewParamsConfigTeamsDevicesTaniumConfigRequest struct{…}` - `APIURL string` The Tanium API URL. - `ClientSecret string` The Tanium client secret. - `AccessClientID string` If present, this id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `AccessClientSecret string` If present, this secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `type DevicePostureIntegrationNewParamsConfigTeamsDevicesSentineloneS2sConfigRequest struct{…}` - `APIURL string` The SentinelOne S2S API URL. - `ClientSecret string` The SentinelOne S2S client secret. - `type DevicePostureIntegrationNewParamsConfigTeamsDevicesCustomS2sConfigRequest struct{…}` - `AccessClientID string` This id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `AccessClientSecret string` This secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `APIURL string` The Custom Device Posture Integration API URL. - `Interval param.Field[string]` Body param: The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `Name param.Field[string]` Body param: The name of the device posture integration. - `Type param.Field[DevicePostureIntegrationNewParamsType]` Body param: The type of device posture integration. - `const DevicePostureIntegrationNewParamsTypeWorkspaceOne DevicePostureIntegrationNewParamsType = "workspace_one"` - `const DevicePostureIntegrationNewParamsTypeCrowdstrikeS2s DevicePostureIntegrationNewParamsType = "crowdstrike_s2s"` - `const DevicePostureIntegrationNewParamsTypeUptycs DevicePostureIntegrationNewParamsType = "uptycs"` - `const DevicePostureIntegrationNewParamsTypeIntune DevicePostureIntegrationNewParamsType = "intune"` - `const DevicePostureIntegrationNewParamsTypeKolide DevicePostureIntegrationNewParamsType = "kolide"` - `const DevicePostureIntegrationNewParamsTypeTaniumS2s DevicePostureIntegrationNewParamsType = "tanium_s2s"` - `const DevicePostureIntegrationNewParamsTypeSentineloneS2s DevicePostureIntegrationNewParamsType = "sentinelone_s2s"` - `const DevicePostureIntegrationNewParamsTypeCustomS2s DevicePostureIntegrationNewParamsType = "custom_s2s"` ### Returns - `type Integration struct{…}` - `ID string` API UUID. - `Config IntegrationConfig` The configuration object containing third-party integration information. - `APIURL string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `AuthURL string` The Workspace One Authorization URL depending on your region. - `ClientID string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `Interval string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `Name string` The name of the device posture integration. - `Type IntegrationType` The type of device posture integration. - `const IntegrationTypeWorkspaceOne IntegrationType = "workspace_one"` - `const IntegrationTypeCrowdstrikeS2s IntegrationType = "crowdstrike_s2s"` - `const IntegrationTypeUptycs IntegrationType = "uptycs"` - `const IntegrationTypeIntune IntegrationType = "intune"` - `const IntegrationTypeKolide IntegrationType = "kolide"` - `const IntegrationTypeTaniumS2s IntegrationType = "tanium_s2s"` - `const IntegrationTypeSentineloneS2s IntegrationType = "sentinelone_s2s"` - `const IntegrationTypeCustomS2s IntegrationType = "custom_s2s"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) integration, err := client.ZeroTrust.Devices.Posture.Integrations.New(context.TODO(), zero_trust.DevicePostureIntegrationNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Config: cloudflare.F[zero_trust.DevicePostureIntegrationNewParamsConfigUnion](zero_trust.DevicePostureIntegrationNewParamsConfigTeamsDevicesWorkspaceOneConfigRequest{ APIURL: cloudflare.F("https://as123.awmdm.com/API"), AuthURL: cloudflare.F("https://na.uemauth.workspaceone.com/connect/token"), ClientID: cloudflare.F("example client id"), ClientSecret: cloudflare.F("example client secret"), }), Interval: cloudflare.F("10m"), Name: cloudflare.F("My Workspace One Integration"), Type: cloudflare.F(zero_trust.DevicePostureIntegrationNewParamsTypeWorkspaceOne), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", integration.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }, "success": true } ``` ## Update a device posture integration `client.ZeroTrust.Devices.Posture.Integrations.Edit(ctx, integrationID, params) (*Integration, error)` **patch** `/accounts/{account_id}/devices/posture/integration/{integration_id}` Updates a configured device posture integration. ### Parameters - `integrationID string` API UUID. - `params DevicePostureIntegrationEditParams` - `AccountID param.Field[string]` Path param - `Config param.Field[DevicePostureIntegrationEditParamsConfig]` Body param: The configuration object containing third-party integration information. - `type DevicePostureIntegrationEditParamsConfigTeamsDevicesWorkspaceOneConfigRequest struct{…}` - `APIURL string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `AuthURL string` The Workspace One Authorization URL depending on your region. - `ClientID string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `ClientSecret string` The Workspace One client secret provided in the Workspace One Admin Dashboard. - `type DevicePostureIntegrationEditParamsConfigTeamsDevicesCrowdstrikeConfigRequest struct{…}` - `APIURL string` The Crowdstrike API URL. - `ClientID string` The Crowdstrike client ID. - `ClientSecret string` The Crowdstrike client secret. - `CustomerID string` The Crowdstrike customer ID. - `type DevicePostureIntegrationEditParamsConfigTeamsDevicesUptycsConfigRequest struct{…}` - `APIURL string` The Uptycs API URL. - `ClientKey string` The Uptycs client secret. - `ClientSecret string` The Uptycs client secret. - `CustomerID string` The Uptycs customer ID. - `type DevicePostureIntegrationEditParamsConfigTeamsDevicesIntuneConfigRequest struct{…}` - `ClientID string` The Intune client ID. - `ClientSecret string` The Intune client secret. - `CustomerID string` The Intune customer ID. - `type DevicePostureIntegrationEditParamsConfigTeamsDevicesKolideConfigRequest struct{…}` - `ClientID string` The Kolide client ID. - `ClientSecret string` The Kolide client secret. - `type DevicePostureIntegrationEditParamsConfigTeamsDevicesTaniumConfigRequest struct{…}` - `APIURL string` The Tanium API URL. - `ClientSecret string` The Tanium client secret. - `AccessClientID string` If present, this id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `AccessClientSecret string` If present, this secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `type DevicePostureIntegrationEditParamsConfigTeamsDevicesSentineloneS2sConfigRequest struct{…}` - `APIURL string` The SentinelOne S2S API URL. - `ClientSecret string` The SentinelOne S2S client secret. - `type DevicePostureIntegrationEditParamsConfigTeamsDevicesCustomS2sConfigRequest struct{…}` - `AccessClientID string` This id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `AccessClientSecret string` This secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `APIURL string` The Custom Device Posture Integration API URL. - `Interval param.Field[string]` Body param: The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `Name param.Field[string]` Body param: The name of the device posture integration. - `Type param.Field[DevicePostureIntegrationEditParamsType]` Body param: The type of device posture integration. - `const DevicePostureIntegrationEditParamsTypeWorkspaceOne DevicePostureIntegrationEditParamsType = "workspace_one"` - `const DevicePostureIntegrationEditParamsTypeCrowdstrikeS2s DevicePostureIntegrationEditParamsType = "crowdstrike_s2s"` - `const DevicePostureIntegrationEditParamsTypeUptycs DevicePostureIntegrationEditParamsType = "uptycs"` - `const DevicePostureIntegrationEditParamsTypeIntune DevicePostureIntegrationEditParamsType = "intune"` - `const DevicePostureIntegrationEditParamsTypeKolide DevicePostureIntegrationEditParamsType = "kolide"` - `const DevicePostureIntegrationEditParamsTypeTaniumS2s DevicePostureIntegrationEditParamsType = "tanium_s2s"` - `const DevicePostureIntegrationEditParamsTypeSentineloneS2s DevicePostureIntegrationEditParamsType = "sentinelone_s2s"` - `const DevicePostureIntegrationEditParamsTypeCustomS2s DevicePostureIntegrationEditParamsType = "custom_s2s"` ### Returns - `type Integration struct{…}` - `ID string` API UUID. - `Config IntegrationConfig` The configuration object containing third-party integration information. - `APIURL string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `AuthURL string` The Workspace One Authorization URL depending on your region. - `ClientID string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `Interval string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `Name string` The name of the device posture integration. - `Type IntegrationType` The type of device posture integration. - `const IntegrationTypeWorkspaceOne IntegrationType = "workspace_one"` - `const IntegrationTypeCrowdstrikeS2s IntegrationType = "crowdstrike_s2s"` - `const IntegrationTypeUptycs IntegrationType = "uptycs"` - `const IntegrationTypeIntune IntegrationType = "intune"` - `const IntegrationTypeKolide IntegrationType = "kolide"` - `const IntegrationTypeTaniumS2s IntegrationType = "tanium_s2s"` - `const IntegrationTypeSentineloneS2s IntegrationType = "sentinelone_s2s"` - `const IntegrationTypeCustomS2s IntegrationType = "custom_s2s"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) integration, err := client.ZeroTrust.Devices.Posture.Integrations.Edit( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePostureIntegrationEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", integration.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }, "success": true } ``` ## Delete a device posture integration `client.ZeroTrust.Devices.Posture.Integrations.Delete(ctx, integrationID, body) (*unknown, error)` **delete** `/accounts/{account_id}/devices/posture/integration/{integration_id}` Delete a configured device posture integration. ### Parameters - `integrationID string` API UUID. - `body DevicePostureIntegrationDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DevicePostureIntegrationDeleteResponseEnvelopeResult interface{…}` - `unknown` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) integration, err := client.ZeroTrust.Devices.Posture.Integrations.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DevicePostureIntegrationDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", integration) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Integration - `type Integration struct{…}` - `ID string` API UUID. - `Config IntegrationConfig` The configuration object containing third-party integration information. - `APIURL string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `AuthURL string` The Workspace One Authorization URL depending on your region. - `ClientID string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `Interval string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `Name string` The name of the device posture integration. - `Type IntegrationType` The type of device posture integration. - `const IntegrationTypeWorkspaceOne IntegrationType = "workspace_one"` - `const IntegrationTypeCrowdstrikeS2s IntegrationType = "crowdstrike_s2s"` - `const IntegrationTypeUptycs IntegrationType = "uptycs"` - `const IntegrationTypeIntune IntegrationType = "intune"` - `const IntegrationTypeKolide IntegrationType = "kolide"` - `const IntegrationTypeTaniumS2s IntegrationType = "tanium_s2s"` - `const IntegrationTypeSentineloneS2s IntegrationType = "sentinelone_s2s"` - `const IntegrationTypeCustomS2s IntegrationType = "custom_s2s"` # Revoke ## Revoke devices (deprecated) `client.ZeroTrust.Devices.Revoke.New(ctx, params) (*unknown, error)` **post** `/accounts/{account_id}/devices/revoke` Revokes a list of devices. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled. **Deprecated**: please use POST /accounts/{account_id}/devices/registrations/revoke instead. ### Parameters - `params DeviceRevokeNewParams` - `AccountID param.Field[string]` Path param - `Body param.Field[[]string]` Body param: A list of Registration IDs to revoke. ### Returns - `type DeviceRevokeNewResponseEnvelopeResult interface{…}` - `unknown` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) revoke, err := client.ZeroTrust.Devices.Revoke.New(context.TODO(), zero_trust.DeviceRevokeNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: []string{"f174e90a-fafe-4643-bbbc-4a0ed4fc8415"}, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", revoke) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` # Settings ## Get device settings for a Zero Trust account `client.ZeroTrust.Devices.Settings.Get(ctx, query) (*DeviceSettings, error)` **get** `/accounts/{account_id}/devices/settings` Describes the current device settings for a Zero Trust account. ### Parameters - `query DeviceSettingGetParams` - `AccountID param.Field[string]` ### Returns - `type DeviceSettings struct{…}` - `DisableForTime float64` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `ExternalEmergencySignalEnabled bool` Controls whether the external emergency disconnect feature is enabled. - `ExternalEmergencySignalFingerprint string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `ExternalEmergencySignalInterval string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `ExternalEmergencySignalURL string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `GatewayProxyEnabled bool` Enable gateway proxy filtering on TCP. - `GatewayUdpProxyEnabled bool` Enable gateway proxy filtering on UDP. - `RootCertificateInstallationEnabled bool` Enable installation of cloudflare managed root certificate. - `UseZtVirtualIP bool` Enable using CGNAT virtual IPv4. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) deviceSettings, err := client.ZeroTrust.Devices.Settings.Get(context.TODO(), zero_trust.DeviceSettingGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", deviceSettings.DisableForTime) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Update device settings for a Zero Trust account `client.ZeroTrust.Devices.Settings.Update(ctx, params) (*DeviceSettings, error)` **put** `/accounts/{account_id}/devices/settings` Updates the current device settings for a Zero Trust account. ### Parameters - `params DeviceSettingUpdateParams` - `AccountID param.Field[string]` Path param - `DeviceSettings param.Field[DeviceSettings]` Body param ### Returns - `type DeviceSettings struct{…}` - `DisableForTime float64` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `ExternalEmergencySignalEnabled bool` Controls whether the external emergency disconnect feature is enabled. - `ExternalEmergencySignalFingerprint string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `ExternalEmergencySignalInterval string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `ExternalEmergencySignalURL string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `GatewayProxyEnabled bool` Enable gateway proxy filtering on TCP. - `GatewayUdpProxyEnabled bool` Enable gateway proxy filtering on UDP. - `RootCertificateInstallationEnabled bool` Enable installation of cloudflare managed root certificate. - `UseZtVirtualIP bool` Enable using CGNAT virtual IPv4. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) deviceSettings, err := client.ZeroTrust.Devices.Settings.Update(context.TODO(), zero_trust.DeviceSettingUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), DeviceSettings: zero_trust.DeviceSettingsParam{ }, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", deviceSettings.DisableForTime) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Patch device settings for a Zero Trust account `client.ZeroTrust.Devices.Settings.Edit(ctx, params) (*DeviceSettings, error)` **patch** `/accounts/{account_id}/devices/settings` Patches the current device settings for a Zero Trust account. ### Parameters - `params DeviceSettingEditParams` - `AccountID param.Field[string]` Path param - `DeviceSettings param.Field[DeviceSettings]` Body param ### Returns - `type DeviceSettings struct{…}` - `DisableForTime float64` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `ExternalEmergencySignalEnabled bool` Controls whether the external emergency disconnect feature is enabled. - `ExternalEmergencySignalFingerprint string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `ExternalEmergencySignalInterval string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `ExternalEmergencySignalURL string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `GatewayProxyEnabled bool` Enable gateway proxy filtering on TCP. - `GatewayUdpProxyEnabled bool` Enable gateway proxy filtering on UDP. - `RootCertificateInstallationEnabled bool` Enable installation of cloudflare managed root certificate. - `UseZtVirtualIP bool` Enable using CGNAT virtual IPv4. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) deviceSettings, err := client.ZeroTrust.Devices.Settings.Edit(context.TODO(), zero_trust.DeviceSettingEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), DeviceSettings: zero_trust.DeviceSettingsParam{ }, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", deviceSettings.DisableForTime) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Reset device settings for a Zero Trust account with defaults. This turns off all proxying. `client.ZeroTrust.Devices.Settings.Delete(ctx, body) (*DeviceSettings, error)` **delete** `/accounts/{account_id}/devices/settings` Resets the current device settings for a Zero Trust account. ### Parameters - `body DeviceSettingDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DeviceSettings struct{…}` - `DisableForTime float64` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `ExternalEmergencySignalEnabled bool` Controls whether the external emergency disconnect feature is enabled. - `ExternalEmergencySignalFingerprint string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `ExternalEmergencySignalInterval string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `ExternalEmergencySignalURL string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `GatewayProxyEnabled bool` Enable gateway proxy filtering on TCP. - `GatewayUdpProxyEnabled bool` Enable gateway proxy filtering on UDP. - `RootCertificateInstallationEnabled bool` Enable installation of cloudflare managed root certificate. - `UseZtVirtualIP bool` Enable using CGNAT virtual IPv4. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) deviceSettings, err := client.ZeroTrust.Devices.Settings.Delete(context.TODO(), zero_trust.DeviceSettingDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", deviceSettings.DisableForTime) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Domain Types ### Device Settings - `type DeviceSettings struct{…}` - `DisableForTime float64` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `ExternalEmergencySignalEnabled bool` Controls whether the external emergency disconnect feature is enabled. - `ExternalEmergencySignalFingerprint string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `ExternalEmergencySignalInterval string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `ExternalEmergencySignalURL string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `GatewayProxyEnabled bool` Enable gateway proxy filtering on TCP. - `GatewayUdpProxyEnabled bool` Enable gateway proxy filtering on UDP. - `RootCertificateInstallationEnabled bool` Enable installation of cloudflare managed root certificate. - `UseZtVirtualIP bool` Enable using CGNAT virtual IPv4. # Unrevoke ## Unrevoke devices (deprecated) `client.ZeroTrust.Devices.Unrevoke.New(ctx, params) (*unknown, error)` **post** `/accounts/{account_id}/devices/unrevoke` Unrevokes a list of devices. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled. **Deprecated**: please use POST /accounts/{account_id}/devices/registrations/unrevoke instead. ### Parameters - `params DeviceUnrevokeNewParams` - `AccountID param.Field[string]` Path param - `Body param.Field[[]string]` Body param: A list of Registration IDs to unrevoke. ### Returns - `type DeviceUnrevokeNewResponseEnvelopeResult interface{…}` - `unknown` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) unrevoke, err := client.ZeroTrust.Devices.Unrevoke.New(context.TODO(), zero_trust.DeviceUnrevokeNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: []string{"f174e90a-fafe-4643-bbbc-4a0ed4fc8415"}, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", unrevoke) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` # Override Codes ## Get override codes (deprecated) `client.ZeroTrust.Devices.OverrideCodes.List(ctx, deviceID, query) (*SinglePage[DeviceOverrideCodeListResponse], error)` **get** `/accounts/{account_id}/devices/{device_id}/override_codes` Fetches a one-time use admin override code for a device. This relies on the **Admin Override** setting being enabled in your device configuration. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled for the account. **Deprecated:** please use GET /accounts/{account_id}/devices/registrations/{registration_id}/override_codes instead. ### Parameters - `deviceID string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `query DeviceOverrideCodeListParams` - `AccountID param.Field[string]` ### Returns - `type DeviceOverrideCodeListResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Devices.OverrideCodes.List( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DeviceOverrideCodeListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ {} ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get override codes `client.ZeroTrust.Devices.OverrideCodes.Get(ctx, registrationID, query) (*DeviceOverrideCodeGetResponse, error)` **get** `/accounts/{account_id}/devices/registrations/{registration_id}/override_codes` Fetches one-time use admin override codes for a registration. This relies on the **Admin Override** setting being enabled in your device configuration. ### Parameters - `registrationID string` - `query DeviceOverrideCodeGetParams` - `AccountID param.Field[string]` ### Returns - `type DeviceOverrideCodeGetResponse struct{…}` - `DisableForTime map[string, string]` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) overrideCode, err := client.ZeroTrust.Devices.OverrideCodes.Get( context.TODO(), "registration_id", zero_trust.DeviceOverrideCodeGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", overrideCode.DisableForTime) } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "disable_for_time": { "foo": "string" } }, "success": true } ``` # Identity Providers ## List Access identity providers `client.ZeroTrust.IdentityProviders.List(ctx, params) (*V4PagePaginationArray[IdentityProviderListResponse], error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers` Lists all configured identity providers. ### Parameters - `params IdentityProviderListParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. - `SCIMEnabled param.Field[string]` Query param: Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled. ### Returns - `type IdentityProviderListResponse interface{…}` - `type AzureAD struct{…}` - `Config AzureADConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `ConditionalAccessEnabled bool` Should Cloudflare try to load authentication contexts from your account - `DirectoryID string` Your Azure directory uuid - `EmailClaimName string` The claim name for email in the id_token response. - `Prompt AzureADConfigPrompt` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `const AzureADConfigPromptLogin AzureADConfigPrompt = "login"` - `const AzureADConfigPromptSelectAccount AzureADConfigPrompt = "select_account"` - `const AzureADConfigPromptNone AzureADConfigPrompt = "none"` - `SupportGroups bool` Should Cloudflare try to load groups from your account - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `const IdentityProviderTypeOnetimepin IdentityProviderType = "onetimepin"` - `const IdentityProviderTypeAzureAD IdentityProviderType = "azureAD"` - `const IdentityProviderTypeSAML IdentityProviderType = "saml"` - `const IdentityProviderTypeCentrify IdentityProviderType = "centrify"` - `const IdentityProviderTypeFacebook IdentityProviderType = "facebook"` - `const IdentityProviderTypeGitHub IdentityProviderType = "github"` - `const IdentityProviderTypeGoogleApps IdentityProviderType = "google-apps"` - `const IdentityProviderTypeGoogle IdentityProviderType = "google"` - `const IdentityProviderTypeLinkedin IdentityProviderType = "linkedin"` - `const IdentityProviderTypeOIDC IdentityProviderType = "oidc"` - `const IdentityProviderTypeOkta IdentityProviderType = "okta"` - `const IdentityProviderTypeOnelogin IdentityProviderType = "onelogin"` - `const IdentityProviderTypePingone IdentityProviderType = "pingone"` - `const IdentityProviderTypeYandex IdentityProviderType = "yandex"` - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `Enabled bool` A flag to enable or disable SCIM for the identity provider. - `IdentityUpdateBehavior IdentityProviderSCIMConfigIdentityUpdateBehavior` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorAutomatic IdentityProviderSCIMConfigIdentityUpdateBehavior = "automatic"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorReauth IdentityProviderSCIMConfigIdentityUpdateBehavior = "reauth"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorNoAction IdentityProviderSCIMConfigIdentityUpdateBehavior = "no_action"` - `SCIMBaseURL string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `SeatDeprovision bool` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `Secret string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `UserDeprovision bool` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `type IdentityProviderListResponseAccessCentrify struct{…}` - `Config IdentityProviderListResponseAccessCentrifyConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `CentrifyAccount string` Your centrify account url - `CentrifyAppID string` Your centrify app id - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderListResponseAccessFacebook struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderListResponseAccessGitHub struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderListResponseAccessGoogle struct{…}` - `Config IdentityProviderListResponseAccessGoogleConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderListResponseAccessGoogleApps struct{…}` - `Config IdentityProviderListResponseAccessGoogleAppsConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AppsDomain string` Your companies TLD - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderListResponseAccessLinkedin struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderListResponseAccessOIDC struct{…}` - `Config IdentityProviderListResponseAccessOIDCConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AuthURL string` The authorization_endpoint URL of your IdP - `CERTsURL string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `PKCEEnabled bool` Enable Proof Key for Code Exchange (PKCE) - `Scopes []string` OAuth scopes - `TokenURL string` The token_endpoint URL of your IdP - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderListResponseAccessOkta struct{…}` - `Config IdentityProviderListResponseAccessOktaConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AuthorizationServerID string` Your okta authorization server id - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `OktaAccount string` Your okta account url - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderListResponseAccessOnelogin struct{…}` - `Config IdentityProviderListResponseAccessOneloginConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `OneloginAccount string` Your OneLogin account url - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderListResponseAccessPingone struct{…}` - `Config IdentityProviderListResponseAccessPingoneConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `PingEnvID string` Your PingOne environment identifier - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderListResponseAccessSAML struct{…}` - `Config IdentityProviderListResponseAccessSAMLConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Attributes []string` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `EmailAttributeName string` The attribute name for email in the SAML response. - `HeaderAttributes []IdentityProviderListResponseAccessSAMLConfigHeaderAttribute` Add a list of attribute names that will be returned in the response header from the Access callback. - `AttributeName string` attribute name from the IDP - `HeaderName string` header that will be added on the request to the origin - `IdPPublicCERTs []string` X509 certificate to verify the signature in the SAML authentication response - `IssuerURL string` IdP Entity ID or Issuer URL - `SignRequest bool` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `SSOTargetURL string` URL to send the SAML authentication requests to - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderListResponseAccessYandex struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.IdentityProviders.List(context.TODO(), zero_trust.IdentityProviderListParams{ }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access identity provider `client.ZeroTrust.IdentityProviders.Get(ctx, identityProviderID, query) (*IdentityProvider, error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}` Fetches a configured identity provider. ### Parameters - `identityProviderID string` UUID. - `query IdentityProviderGetParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type IdentityProvider interface{…}` - `type AzureAD struct{…}` - `Config AzureADConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `ConditionalAccessEnabled bool` Should Cloudflare try to load authentication contexts from your account - `DirectoryID string` Your Azure directory uuid - `EmailClaimName string` The claim name for email in the id_token response. - `Prompt AzureADConfigPrompt` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `const AzureADConfigPromptLogin AzureADConfigPrompt = "login"` - `const AzureADConfigPromptSelectAccount AzureADConfigPrompt = "select_account"` - `const AzureADConfigPromptNone AzureADConfigPrompt = "none"` - `SupportGroups bool` Should Cloudflare try to load groups from your account - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `const IdentityProviderTypeOnetimepin IdentityProviderType = "onetimepin"` - `const IdentityProviderTypeAzureAD IdentityProviderType = "azureAD"` - `const IdentityProviderTypeSAML IdentityProviderType = "saml"` - `const IdentityProviderTypeCentrify IdentityProviderType = "centrify"` - `const IdentityProviderTypeFacebook IdentityProviderType = "facebook"` - `const IdentityProviderTypeGitHub IdentityProviderType = "github"` - `const IdentityProviderTypeGoogleApps IdentityProviderType = "google-apps"` - `const IdentityProviderTypeGoogle IdentityProviderType = "google"` - `const IdentityProviderTypeLinkedin IdentityProviderType = "linkedin"` - `const IdentityProviderTypeOIDC IdentityProviderType = "oidc"` - `const IdentityProviderTypeOkta IdentityProviderType = "okta"` - `const IdentityProviderTypeOnelogin IdentityProviderType = "onelogin"` - `const IdentityProviderTypePingone IdentityProviderType = "pingone"` - `const IdentityProviderTypeYandex IdentityProviderType = "yandex"` - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `Enabled bool` A flag to enable or disable SCIM for the identity provider. - `IdentityUpdateBehavior IdentityProviderSCIMConfigIdentityUpdateBehavior` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorAutomatic IdentityProviderSCIMConfigIdentityUpdateBehavior = "automatic"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorReauth IdentityProviderSCIMConfigIdentityUpdateBehavior = "reauth"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorNoAction IdentityProviderSCIMConfigIdentityUpdateBehavior = "no_action"` - `SCIMBaseURL string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `SeatDeprovision bool` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `Secret string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `UserDeprovision bool` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `type IdentityProviderAccessCentrify struct{…}` - `Config IdentityProviderAccessCentrifyConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `CentrifyAccount string` Your centrify account url - `CentrifyAppID string` Your centrify app id - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessFacebook struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessGitHub struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessGoogle struct{…}` - `Config IdentityProviderAccessGoogleConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessGoogleApps struct{…}` - `Config IdentityProviderAccessGoogleAppsConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AppsDomain string` Your companies TLD - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessLinkedin struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOIDC struct{…}` - `Config IdentityProviderAccessOIDCConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AuthURL string` The authorization_endpoint URL of your IdP - `CERTsURL string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `PKCEEnabled bool` Enable Proof Key for Code Exchange (PKCE) - `Scopes []string` OAuth scopes - `TokenURL string` The token_endpoint URL of your IdP - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOkta struct{…}` - `Config IdentityProviderAccessOktaConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AuthorizationServerID string` Your okta authorization server id - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `OktaAccount string` Your okta account url - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOnelogin struct{…}` - `Config IdentityProviderAccessOneloginConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `OneloginAccount string` Your OneLogin account url - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessPingone struct{…}` - `Config IdentityProviderAccessPingoneConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `PingEnvID string` Your PingOne environment identifier - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessSAML struct{…}` - `Config IdentityProviderAccessSAMLConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Attributes []string` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `EmailAttributeName string` The attribute name for email in the SAML response. - `HeaderAttributes []IdentityProviderAccessSAMLConfigHeaderAttribute` Add a list of attribute names that will be returned in the response header from the Access callback. - `AttributeName string` attribute name from the IDP - `HeaderName string` header that will be added on the request to the origin - `IdPPublicCERTs []string` X509 certificate to verify the signature in the SAML authentication response - `IssuerURL string` IdP Entity ID or Issuer URL - `SignRequest bool` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `SSOTargetURL string` URL to send the SAML authentication requests to - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessYandex struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOnetimepin struct{…}` - `Config IdentityProviderAccessOnetimepinConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `RedirectURL string` - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) identityProvider, err := client.ZeroTrust.IdentityProviders.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.IdentityProviderGetParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", identityProvider) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } } ``` ## Add an Access identity provider `client.ZeroTrust.IdentityProviders.New(ctx, params) (*IdentityProvider, error)` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers` Adds a new identity provider to Access. ### Parameters - `params IdentityProviderNewParams` - `AzureAD param.Field[AzureAD]` Body param - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type IdentityProvider interface{…}` - `type AzureAD struct{…}` - `Config AzureADConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `ConditionalAccessEnabled bool` Should Cloudflare try to load authentication contexts from your account - `DirectoryID string` Your Azure directory uuid - `EmailClaimName string` The claim name for email in the id_token response. - `Prompt AzureADConfigPrompt` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `const AzureADConfigPromptLogin AzureADConfigPrompt = "login"` - `const AzureADConfigPromptSelectAccount AzureADConfigPrompt = "select_account"` - `const AzureADConfigPromptNone AzureADConfigPrompt = "none"` - `SupportGroups bool` Should Cloudflare try to load groups from your account - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `const IdentityProviderTypeOnetimepin IdentityProviderType = "onetimepin"` - `const IdentityProviderTypeAzureAD IdentityProviderType = "azureAD"` - `const IdentityProviderTypeSAML IdentityProviderType = "saml"` - `const IdentityProviderTypeCentrify IdentityProviderType = "centrify"` - `const IdentityProviderTypeFacebook IdentityProviderType = "facebook"` - `const IdentityProviderTypeGitHub IdentityProviderType = "github"` - `const IdentityProviderTypeGoogleApps IdentityProviderType = "google-apps"` - `const IdentityProviderTypeGoogle IdentityProviderType = "google"` - `const IdentityProviderTypeLinkedin IdentityProviderType = "linkedin"` - `const IdentityProviderTypeOIDC IdentityProviderType = "oidc"` - `const IdentityProviderTypeOkta IdentityProviderType = "okta"` - `const IdentityProviderTypeOnelogin IdentityProviderType = "onelogin"` - `const IdentityProviderTypePingone IdentityProviderType = "pingone"` - `const IdentityProviderTypeYandex IdentityProviderType = "yandex"` - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `Enabled bool` A flag to enable or disable SCIM for the identity provider. - `IdentityUpdateBehavior IdentityProviderSCIMConfigIdentityUpdateBehavior` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorAutomatic IdentityProviderSCIMConfigIdentityUpdateBehavior = "automatic"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorReauth IdentityProviderSCIMConfigIdentityUpdateBehavior = "reauth"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorNoAction IdentityProviderSCIMConfigIdentityUpdateBehavior = "no_action"` - `SCIMBaseURL string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `SeatDeprovision bool` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `Secret string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `UserDeprovision bool` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `type IdentityProviderAccessCentrify struct{…}` - `Config IdentityProviderAccessCentrifyConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `CentrifyAccount string` Your centrify account url - `CentrifyAppID string` Your centrify app id - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessFacebook struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessGitHub struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessGoogle struct{…}` - `Config IdentityProviderAccessGoogleConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessGoogleApps struct{…}` - `Config IdentityProviderAccessGoogleAppsConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AppsDomain string` Your companies TLD - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessLinkedin struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOIDC struct{…}` - `Config IdentityProviderAccessOIDCConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AuthURL string` The authorization_endpoint URL of your IdP - `CERTsURL string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `PKCEEnabled bool` Enable Proof Key for Code Exchange (PKCE) - `Scopes []string` OAuth scopes - `TokenURL string` The token_endpoint URL of your IdP - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOkta struct{…}` - `Config IdentityProviderAccessOktaConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AuthorizationServerID string` Your okta authorization server id - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `OktaAccount string` Your okta account url - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOnelogin struct{…}` - `Config IdentityProviderAccessOneloginConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `OneloginAccount string` Your OneLogin account url - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessPingone struct{…}` - `Config IdentityProviderAccessPingoneConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `PingEnvID string` Your PingOne environment identifier - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessSAML struct{…}` - `Config IdentityProviderAccessSAMLConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Attributes []string` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `EmailAttributeName string` The attribute name for email in the SAML response. - `HeaderAttributes []IdentityProviderAccessSAMLConfigHeaderAttribute` Add a list of attribute names that will be returned in the response header from the Access callback. - `AttributeName string` attribute name from the IDP - `HeaderName string` header that will be added on the request to the origin - `IdPPublicCERTs []string` X509 certificate to verify the signature in the SAML authentication response - `IssuerURL string` IdP Entity ID or Issuer URL - `SignRequest bool` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `SSOTargetURL string` URL to send the SAML authentication requests to - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessYandex struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOnetimepin struct{…}` - `Config IdentityProviderAccessOnetimepinConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `RedirectURL string` - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) identityProvider, err := client.ZeroTrust.IdentityProviders.New(context.TODO(), zero_trust.IdentityProviderNewParams{ IdentityProvider: zero_trust.AzureADParam{ Config: cloudflare.F(zero_trust.AzureADConfigParam{ }), Name: cloudflare.F("Widget Corps IDP"), Type: cloudflare.F(zero_trust.IdentityProviderTypeOnetimepin), }, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", identityProvider) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } } ``` ## Update an Access identity provider `client.ZeroTrust.IdentityProviders.Update(ctx, identityProviderID, params) (*IdentityProvider, error)` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}` Updates a configured identity provider. ### Parameters - `identityProviderID string` UUID. - `params IdentityProviderUpdateParams` - `AzureAD param.Field[AzureAD]` Body param - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type IdentityProvider interface{…}` - `type AzureAD struct{…}` - `Config AzureADConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `ConditionalAccessEnabled bool` Should Cloudflare try to load authentication contexts from your account - `DirectoryID string` Your Azure directory uuid - `EmailClaimName string` The claim name for email in the id_token response. - `Prompt AzureADConfigPrompt` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `const AzureADConfigPromptLogin AzureADConfigPrompt = "login"` - `const AzureADConfigPromptSelectAccount AzureADConfigPrompt = "select_account"` - `const AzureADConfigPromptNone AzureADConfigPrompt = "none"` - `SupportGroups bool` Should Cloudflare try to load groups from your account - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `const IdentityProviderTypeOnetimepin IdentityProviderType = "onetimepin"` - `const IdentityProviderTypeAzureAD IdentityProviderType = "azureAD"` - `const IdentityProviderTypeSAML IdentityProviderType = "saml"` - `const IdentityProviderTypeCentrify IdentityProviderType = "centrify"` - `const IdentityProviderTypeFacebook IdentityProviderType = "facebook"` - `const IdentityProviderTypeGitHub IdentityProviderType = "github"` - `const IdentityProviderTypeGoogleApps IdentityProviderType = "google-apps"` - `const IdentityProviderTypeGoogle IdentityProviderType = "google"` - `const IdentityProviderTypeLinkedin IdentityProviderType = "linkedin"` - `const IdentityProviderTypeOIDC IdentityProviderType = "oidc"` - `const IdentityProviderTypeOkta IdentityProviderType = "okta"` - `const IdentityProviderTypeOnelogin IdentityProviderType = "onelogin"` - `const IdentityProviderTypePingone IdentityProviderType = "pingone"` - `const IdentityProviderTypeYandex IdentityProviderType = "yandex"` - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `Enabled bool` A flag to enable or disable SCIM for the identity provider. - `IdentityUpdateBehavior IdentityProviderSCIMConfigIdentityUpdateBehavior` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorAutomatic IdentityProviderSCIMConfigIdentityUpdateBehavior = "automatic"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorReauth IdentityProviderSCIMConfigIdentityUpdateBehavior = "reauth"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorNoAction IdentityProviderSCIMConfigIdentityUpdateBehavior = "no_action"` - `SCIMBaseURL string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `SeatDeprovision bool` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `Secret string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `UserDeprovision bool` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `type IdentityProviderAccessCentrify struct{…}` - `Config IdentityProviderAccessCentrifyConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `CentrifyAccount string` Your centrify account url - `CentrifyAppID string` Your centrify app id - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessFacebook struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessGitHub struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessGoogle struct{…}` - `Config IdentityProviderAccessGoogleConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessGoogleApps struct{…}` - `Config IdentityProviderAccessGoogleAppsConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AppsDomain string` Your companies TLD - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessLinkedin struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOIDC struct{…}` - `Config IdentityProviderAccessOIDCConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AuthURL string` The authorization_endpoint URL of your IdP - `CERTsURL string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `PKCEEnabled bool` Enable Proof Key for Code Exchange (PKCE) - `Scopes []string` OAuth scopes - `TokenURL string` The token_endpoint URL of your IdP - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOkta struct{…}` - `Config IdentityProviderAccessOktaConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AuthorizationServerID string` Your okta authorization server id - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `OktaAccount string` Your okta account url - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOnelogin struct{…}` - `Config IdentityProviderAccessOneloginConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `OneloginAccount string` Your OneLogin account url - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessPingone struct{…}` - `Config IdentityProviderAccessPingoneConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `PingEnvID string` Your PingOne environment identifier - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessSAML struct{…}` - `Config IdentityProviderAccessSAMLConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Attributes []string` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `EmailAttributeName string` The attribute name for email in the SAML response. - `HeaderAttributes []IdentityProviderAccessSAMLConfigHeaderAttribute` Add a list of attribute names that will be returned in the response header from the Access callback. - `AttributeName string` attribute name from the IDP - `HeaderName string` header that will be added on the request to the origin - `IdPPublicCERTs []string` X509 certificate to verify the signature in the SAML authentication response - `IssuerURL string` IdP Entity ID or Issuer URL - `SignRequest bool` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `SSOTargetURL string` URL to send the SAML authentication requests to - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessYandex struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOnetimepin struct{…}` - `Config IdentityProviderAccessOnetimepinConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `RedirectURL string` - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) identityProvider, err := client.ZeroTrust.IdentityProviders.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.IdentityProviderUpdateParams{ IdentityProvider: zero_trust.AzureADParam{ Config: cloudflare.F(zero_trust.AzureADConfigParam{ }), Name: cloudflare.F("Widget Corps IDP"), Type: cloudflare.F(zero_trust.IdentityProviderTypeOnetimepin), }, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", identityProvider) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } } ``` ## Delete an Access identity provider `client.ZeroTrust.IdentityProviders.Delete(ctx, identityProviderID, body) (*IdentityProviderDeleteResponse, error)` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}` Deletes an identity provider from Access. ### Parameters - `identityProviderID string` UUID. - `body IdentityProviderDeleteParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type IdentityProviderDeleteResponse struct{…}` - `ID string` UUID. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) identityProvider, err := client.ZeroTrust.IdentityProviders.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.IdentityProviderDeleteParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", identityProvider.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Azure AD - `type AzureAD struct{…}` - `Config AzureADConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `ConditionalAccessEnabled bool` Should Cloudflare try to load authentication contexts from your account - `DirectoryID string` Your Azure directory uuid - `EmailClaimName string` The claim name for email in the id_token response. - `Prompt AzureADConfigPrompt` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `const AzureADConfigPromptLogin AzureADConfigPrompt = "login"` - `const AzureADConfigPromptSelectAccount AzureADConfigPrompt = "select_account"` - `const AzureADConfigPromptNone AzureADConfigPrompt = "none"` - `SupportGroups bool` Should Cloudflare try to load groups from your account - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `const IdentityProviderTypeOnetimepin IdentityProviderType = "onetimepin"` - `const IdentityProviderTypeAzureAD IdentityProviderType = "azureAD"` - `const IdentityProviderTypeSAML IdentityProviderType = "saml"` - `const IdentityProviderTypeCentrify IdentityProviderType = "centrify"` - `const IdentityProviderTypeFacebook IdentityProviderType = "facebook"` - `const IdentityProviderTypeGitHub IdentityProviderType = "github"` - `const IdentityProviderTypeGoogleApps IdentityProviderType = "google-apps"` - `const IdentityProviderTypeGoogle IdentityProviderType = "google"` - `const IdentityProviderTypeLinkedin IdentityProviderType = "linkedin"` - `const IdentityProviderTypeOIDC IdentityProviderType = "oidc"` - `const IdentityProviderTypeOkta IdentityProviderType = "okta"` - `const IdentityProviderTypeOnelogin IdentityProviderType = "onelogin"` - `const IdentityProviderTypePingone IdentityProviderType = "pingone"` - `const IdentityProviderTypeYandex IdentityProviderType = "yandex"` - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `Enabled bool` A flag to enable or disable SCIM for the identity provider. - `IdentityUpdateBehavior IdentityProviderSCIMConfigIdentityUpdateBehavior` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorAutomatic IdentityProviderSCIMConfigIdentityUpdateBehavior = "automatic"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorReauth IdentityProviderSCIMConfigIdentityUpdateBehavior = "reauth"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorNoAction IdentityProviderSCIMConfigIdentityUpdateBehavior = "no_action"` - `SCIMBaseURL string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `SeatDeprovision bool` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `Secret string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `UserDeprovision bool` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. ### Generic OAuth Config - `type GenericOAuthConfig struct{…}` - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret ### Identity Provider - `type IdentityProvider interface{…}` - `type AzureAD struct{…}` - `Config AzureADConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `ConditionalAccessEnabled bool` Should Cloudflare try to load authentication contexts from your account - `DirectoryID string` Your Azure directory uuid - `EmailClaimName string` The claim name for email in the id_token response. - `Prompt AzureADConfigPrompt` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `const AzureADConfigPromptLogin AzureADConfigPrompt = "login"` - `const AzureADConfigPromptSelectAccount AzureADConfigPrompt = "select_account"` - `const AzureADConfigPromptNone AzureADConfigPrompt = "none"` - `SupportGroups bool` Should Cloudflare try to load groups from your account - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `const IdentityProviderTypeOnetimepin IdentityProviderType = "onetimepin"` - `const IdentityProviderTypeAzureAD IdentityProviderType = "azureAD"` - `const IdentityProviderTypeSAML IdentityProviderType = "saml"` - `const IdentityProviderTypeCentrify IdentityProviderType = "centrify"` - `const IdentityProviderTypeFacebook IdentityProviderType = "facebook"` - `const IdentityProviderTypeGitHub IdentityProviderType = "github"` - `const IdentityProviderTypeGoogleApps IdentityProviderType = "google-apps"` - `const IdentityProviderTypeGoogle IdentityProviderType = "google"` - `const IdentityProviderTypeLinkedin IdentityProviderType = "linkedin"` - `const IdentityProviderTypeOIDC IdentityProviderType = "oidc"` - `const IdentityProviderTypeOkta IdentityProviderType = "okta"` - `const IdentityProviderTypeOnelogin IdentityProviderType = "onelogin"` - `const IdentityProviderTypePingone IdentityProviderType = "pingone"` - `const IdentityProviderTypeYandex IdentityProviderType = "yandex"` - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `Enabled bool` A flag to enable or disable SCIM for the identity provider. - `IdentityUpdateBehavior IdentityProviderSCIMConfigIdentityUpdateBehavior` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorAutomatic IdentityProviderSCIMConfigIdentityUpdateBehavior = "automatic"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorReauth IdentityProviderSCIMConfigIdentityUpdateBehavior = "reauth"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorNoAction IdentityProviderSCIMConfigIdentityUpdateBehavior = "no_action"` - `SCIMBaseURL string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `SeatDeprovision bool` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `Secret string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `UserDeprovision bool` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `type IdentityProviderAccessCentrify struct{…}` - `Config IdentityProviderAccessCentrifyConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `CentrifyAccount string` Your centrify account url - `CentrifyAppID string` Your centrify app id - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessFacebook struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessGitHub struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessGoogle struct{…}` - `Config IdentityProviderAccessGoogleConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessGoogleApps struct{…}` - `Config IdentityProviderAccessGoogleAppsConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AppsDomain string` Your companies TLD - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessLinkedin struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOIDC struct{…}` - `Config IdentityProviderAccessOIDCConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AuthURL string` The authorization_endpoint URL of your IdP - `CERTsURL string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `PKCEEnabled bool` Enable Proof Key for Code Exchange (PKCE) - `Scopes []string` OAuth scopes - `TokenURL string` The token_endpoint URL of your IdP - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOkta struct{…}` - `Config IdentityProviderAccessOktaConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `AuthorizationServerID string` Your okta authorization server id - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `OktaAccount string` Your okta account url - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOnelogin struct{…}` - `Config IdentityProviderAccessOneloginConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `OneloginAccount string` Your OneLogin account url - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessPingone struct{…}` - `Config IdentityProviderAccessPingoneConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Claims []string` Custom claims - `ClientID string` Your OAuth Client ID - `ClientSecret string` Your OAuth Client Secret - `EmailClaimName string` The claim name for email in the id_token response. - `PingEnvID string` Your PingOne environment identifier - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessSAML struct{…}` - `Config IdentityProviderAccessSAMLConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Attributes []string` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `EmailAttributeName string` The attribute name for email in the SAML response. - `HeaderAttributes []IdentityProviderAccessSAMLConfigHeaderAttribute` Add a list of attribute names that will be returned in the response header from the Access callback. - `AttributeName string` attribute name from the IDP - `HeaderName string` header that will be added on the request to the origin - `IdPPublicCERTs []string` X509 certificate to verify the signature in the SAML authentication response - `IssuerURL string` IdP Entity ID or Issuer URL - `SignRequest bool` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `SSOTargetURL string` URL to send the SAML authentication requests to - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessYandex struct{…}` - `Config GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `type IdentityProviderAccessOnetimepin struct{…}` - `Config IdentityProviderAccessOnetimepinConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `RedirectURL string` - `Name string` The name of the identity provider, shown to users on the login page. - `Type IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `ID string` UUID. - `SCIMConfig IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Identity Provider SCIM Config - `type IdentityProviderSCIMConfig struct{…}` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `Enabled bool` A flag to enable or disable SCIM for the identity provider. - `IdentityUpdateBehavior IdentityProviderSCIMConfigIdentityUpdateBehavior` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorAutomatic IdentityProviderSCIMConfigIdentityUpdateBehavior = "automatic"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorReauth IdentityProviderSCIMConfigIdentityUpdateBehavior = "reauth"` - `const IdentityProviderSCIMConfigIdentityUpdateBehaviorNoAction IdentityProviderSCIMConfigIdentityUpdateBehavior = "no_action"` - `SCIMBaseURL string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `SeatDeprovision bool` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `Secret string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `UserDeprovision bool` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. ### Identity Provider Type - `type IdentityProviderType string` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `const IdentityProviderTypeOnetimepin IdentityProviderType = "onetimepin"` - `const IdentityProviderTypeAzureAD IdentityProviderType = "azureAD"` - `const IdentityProviderTypeSAML IdentityProviderType = "saml"` - `const IdentityProviderTypeCentrify IdentityProviderType = "centrify"` - `const IdentityProviderTypeFacebook IdentityProviderType = "facebook"` - `const IdentityProviderTypeGitHub IdentityProviderType = "github"` - `const IdentityProviderTypeGoogleApps IdentityProviderType = "google-apps"` - `const IdentityProviderTypeGoogle IdentityProviderType = "google"` - `const IdentityProviderTypeLinkedin IdentityProviderType = "linkedin"` - `const IdentityProviderTypeOIDC IdentityProviderType = "oidc"` - `const IdentityProviderTypeOkta IdentityProviderType = "okta"` - `const IdentityProviderTypeOnelogin IdentityProviderType = "onelogin"` - `const IdentityProviderTypePingone IdentityProviderType = "pingone"` - `const IdentityProviderTypeYandex IdentityProviderType = "yandex"` # SCIM # Groups ## List SCIM Group resources `client.ZeroTrust.IdentityProviders.SCIM.Groups.List(ctx, identityProviderID, params) (*V4PagePaginationArray[ZeroTrustGroup], error)` **get** `/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/groups` Lists SCIM Group resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM). ### Parameters - `identityProviderID string` UUID. - `params IdentityProviderSCIMGroupListParams` - `AccountID param.Field[string]` Path param: Identifier. - `CfResourceID param.Field[string]` Query param: The unique Cloudflare-generated Id of the SCIM Group resource; also known as the "Id". - `IdPResourceID param.Field[string]` Query param: The IdP-generated Id of the SCIM Group resource; also known as the "external Id". - `Name param.Field[string]` Query param: The display name of the SCIM Group resource. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. ### Returns - `type ZeroTrustGroup struct{…}` - `ID string` The unique Cloudflare-generated Id of the SCIM resource. - `DisplayName string` The display name of the SCIM Group resource. - `ExternalID string` The IdP-generated Id of the SCIM resource. - `Meta ZeroTrustGroupMeta` The metadata of the SCIM resource. - `Created Time` The timestamp of when the SCIM resource was created. - `LastModified Time` The timestamp of when the SCIM resource was last modified. - `Schemas []string` The list of URIs which indicate the attributes contained within a SCIM resource. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.IdentityProviders.SCIM.Groups.List( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.IdentityProviderSCIMGroupListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0", "displayName": "ALL EMPLOYEES", "externalId": "all_employees", "meta": { "created": "2025-01-01T00:00:00Z", "lastModified": "2025-01-02T00:00:00Z" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Users ## List SCIM User resources `client.ZeroTrust.IdentityProviders.SCIM.Users.List(ctx, identityProviderID, params) (*V4PagePaginationArray[AccessUser], error)` **get** `/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/users` Lists SCIM User resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM). ### Parameters - `identityProviderID string` UUID. - `params IdentityProviderSCIMUserListParams` - `AccountID param.Field[string]` Path param: Identifier. - `CfResourceID param.Field[string]` Query param: The unique Cloudflare-generated Id of the SCIM User resource; also known as the "Id". - `Email param.Field[string]` Query param: The email address of the SCIM User resource. - `IdPResourceID param.Field[string]` Query param: The IdP-generated Id of the SCIM User resource; also known as the "external Id". - `Name param.Field[string]` Query param: The name of the SCIM User resource. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. - `Username param.Field[string]` Query param: The username of the SCIM User resource. ### Returns - `type AccessUser struct{…}` - `ID string` The unique Cloudflare-generated Id of the SCIM resource. - `Active bool` Determines the status of the SCIM User resource. - `DisplayName string` The name of the SCIM User resource. - `Emails []AccessUserEmail` - `Primary bool` Indicates if the email address is the primary email belonging to the SCIM User resource. - `Type string` Indicates the type of the email address. - `Value string` The email address of the SCIM User resource. - `ExternalID string` The IdP-generated Id of the SCIM resource. - `Meta AccessUserMeta` The metadata of the SCIM resource. - `Created Time` The timestamp of when the SCIM resource was created. - `LastModified Time` The timestamp of when the SCIM resource was last modified. - `Schemas []string` The list of URIs which indicate the attributes contained within a SCIM resource. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.IdentityProviders.SCIM.Users.List( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.IdentityProviderSCIMUserListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0", "active": true, "displayName": "John Smith", "emails": [ { "primary": true, "type": "work", "value": "john.smith@example.com" } ], "externalId": "john_smith", "meta": { "created": "2025-01-01T00:00:00Z", "lastModified": "2025-01-02T00:00:00Z" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Organizations ## Get your Zero Trust organization `client.ZeroTrust.Organizations.List(ctx, query) (*Organization, error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Returns the configuration for your Zero Trust organization. ### Parameters - `query OrganizationListParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type Organization struct{…}` - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `AuthDomain string` The unique subdomain assigned to your Zero Trust organization. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. - `CustomPages OrganizationCustomPages` - `Forbidden string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `IdentityDenied string` The uid of the custom page to use when a user is denied access. - `DenyUnmatchedRequests bool` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `DenyUnmatchedRequestsExemptedZoneNames []string` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `IsUIReadOnly bool` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `LoginDesign LoginDesign` - `BackgroundColor string` The background color on your login page. - `FooterText string` The text at the bottom of your login page. - `HeaderText string` The text at the top of your login page. - `LogoPath string` The URL of the logo on your login page. - `TextColor string` The text color on your login page. - `MfaConfig OrganizationMfaConfig` Configures multi-factor authentication (MFA) settings for an organization. - `AllowedAuthenticators []OrganizationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const OrganizationMfaConfigAllowedAuthenticatorTotp OrganizationMfaConfigAllowedAuthenticator = "totp"` - `const OrganizationMfaConfigAllowedAuthenticatorBiometrics OrganizationMfaConfigAllowedAuthenticator = "biometrics"` - `const OrganizationMfaConfigAllowedAuthenticatorSecurityKey OrganizationMfaConfigAllowedAuthenticator = "security_key"` - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `MfaRequiredForAllApps bool` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `Name string` The name of your Zero Trust organization. - `SessionDuration string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UIReadOnlyToggleReason string` A description of the reason why the UI read only field is being toggled. - `UserSeatExpirationInactiveTime string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `WARPAuthSessionDuration string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) organization, err := client.ZeroTrust.Organizations.List(context.TODO(), zero_trust.OrganizationListParams{ }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", organization.AutoRedirectToIdentity) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Create your Zero Trust organization `client.ZeroTrust.Organizations.New(ctx, params) (*Organization, error)` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Sets up a Zero Trust organization for your account or zone. ### Parameters - `params OrganizationNewParams` - `AuthDomain param.Field[string]` Body param: The unique subdomain assigned to your Zero Trust organization. - `Name param.Field[string]` Body param: The name of your Zero Trust organization. - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `AllowAuthenticateViaWARP param.Field[bool]` Body param: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `AutoRedirectToIdentity param.Field[bool]` Body param: When set to `true`, users skip the identity provider selection step during login. - `DenyUnmatchedRequests param.Field[bool]` Body param: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `DenyUnmatchedRequestsExemptedZoneNames param.Field[[]string]` Body param: Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `IsUIReadOnly param.Field[bool]` Body param: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `LoginDesign param.Field[LoginDesign]` Body param - `MfaConfig param.Field[OrganizationNewParamsMfaConfig]` Body param: Configures multi-factor authentication (MFA) settings for an organization. - `AllowedAuthenticators []OrganizationNewParamsMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const OrganizationNewParamsMfaConfigAllowedAuthenticatorTotp OrganizationNewParamsMfaConfigAllowedAuthenticator = "totp"` - `const OrganizationNewParamsMfaConfigAllowedAuthenticatorBiometrics OrganizationNewParamsMfaConfigAllowedAuthenticator = "biometrics"` - `const OrganizationNewParamsMfaConfigAllowedAuthenticatorSecurityKey OrganizationNewParamsMfaConfigAllowedAuthenticator = "security_key"` - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `MfaRequiredForAllApps param.Field[bool]` Body param: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `SessionDuration param.Field[string]` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UIReadOnlyToggleReason param.Field[string]` Body param: A description of the reason why the UI read only field is being toggled. - `UserSeatExpirationInactiveTime param.Field[string]` Body param: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `WARPAuthSessionDuration param.Field[string]` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Returns - `type Organization struct{…}` - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `AuthDomain string` The unique subdomain assigned to your Zero Trust organization. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. - `CustomPages OrganizationCustomPages` - `Forbidden string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `IdentityDenied string` The uid of the custom page to use when a user is denied access. - `DenyUnmatchedRequests bool` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `DenyUnmatchedRequestsExemptedZoneNames []string` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `IsUIReadOnly bool` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `LoginDesign LoginDesign` - `BackgroundColor string` The background color on your login page. - `FooterText string` The text at the bottom of your login page. - `HeaderText string` The text at the top of your login page. - `LogoPath string` The URL of the logo on your login page. - `TextColor string` The text color on your login page. - `MfaConfig OrganizationMfaConfig` Configures multi-factor authentication (MFA) settings for an organization. - `AllowedAuthenticators []OrganizationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const OrganizationMfaConfigAllowedAuthenticatorTotp OrganizationMfaConfigAllowedAuthenticator = "totp"` - `const OrganizationMfaConfigAllowedAuthenticatorBiometrics OrganizationMfaConfigAllowedAuthenticator = "biometrics"` - `const OrganizationMfaConfigAllowedAuthenticatorSecurityKey OrganizationMfaConfigAllowedAuthenticator = "security_key"` - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `MfaRequiredForAllApps bool` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `Name string` The name of your Zero Trust organization. - `SessionDuration string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UIReadOnlyToggleReason string` A description of the reason why the UI read only field is being toggled. - `UserSeatExpirationInactiveTime string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `WARPAuthSessionDuration string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) organization, err := client.ZeroTrust.Organizations.New(context.TODO(), zero_trust.OrganizationNewParams{ AuthDomain: cloudflare.F("test.cloudflareaccess.com"), Name: cloudflare.F("Widget Corps Internal Applications"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", organization.AutoRedirectToIdentity) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Update your Zero Trust organization `client.ZeroTrust.Organizations.Update(ctx, params) (*Organization, error)` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Updates the configuration for your Zero Trust organization. ### Parameters - `params OrganizationUpdateParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `AllowAuthenticateViaWARP param.Field[bool]` Body param: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `AuthDomain param.Field[string]` Body param: The unique subdomain assigned to your Zero Trust organization. - `AutoRedirectToIdentity param.Field[bool]` Body param: When set to `true`, users skip the identity provider selection step during login. - `CustomPages param.Field[OrganizationUpdateParamsCustomPages]` Body param - `Forbidden string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `IdentityDenied string` The uid of the custom page to use when a user is denied access. - `DenyUnmatchedRequests param.Field[bool]` Body param: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `DenyUnmatchedRequestsExemptedZoneNames param.Field[[]string]` Body param: Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `IsUIReadOnly param.Field[bool]` Body param: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `LoginDesign param.Field[LoginDesign]` Body param - `MfaConfig param.Field[OrganizationUpdateParamsMfaConfig]` Body param: Configures multi-factor authentication (MFA) settings for an organization. - `AllowedAuthenticators []OrganizationUpdateParamsMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const OrganizationUpdateParamsMfaConfigAllowedAuthenticatorTotp OrganizationUpdateParamsMfaConfigAllowedAuthenticator = "totp"` - `const OrganizationUpdateParamsMfaConfigAllowedAuthenticatorBiometrics OrganizationUpdateParamsMfaConfigAllowedAuthenticator = "biometrics"` - `const OrganizationUpdateParamsMfaConfigAllowedAuthenticatorSecurityKey OrganizationUpdateParamsMfaConfigAllowedAuthenticator = "security_key"` - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `MfaRequiredForAllApps param.Field[bool]` Body param: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `Name param.Field[string]` Body param: The name of your Zero Trust organization. - `SessionDuration param.Field[string]` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UIReadOnlyToggleReason param.Field[string]` Body param: A description of the reason why the UI read only field is being toggled. - `UserSeatExpirationInactiveTime param.Field[string]` Body param: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `WARPAuthSessionDuration param.Field[string]` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Returns - `type Organization struct{…}` - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `AuthDomain string` The unique subdomain assigned to your Zero Trust organization. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. - `CustomPages OrganizationCustomPages` - `Forbidden string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `IdentityDenied string` The uid of the custom page to use when a user is denied access. - `DenyUnmatchedRequests bool` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `DenyUnmatchedRequestsExemptedZoneNames []string` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `IsUIReadOnly bool` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `LoginDesign LoginDesign` - `BackgroundColor string` The background color on your login page. - `FooterText string` The text at the bottom of your login page. - `HeaderText string` The text at the top of your login page. - `LogoPath string` The URL of the logo on your login page. - `TextColor string` The text color on your login page. - `MfaConfig OrganizationMfaConfig` Configures multi-factor authentication (MFA) settings for an organization. - `AllowedAuthenticators []OrganizationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const OrganizationMfaConfigAllowedAuthenticatorTotp OrganizationMfaConfigAllowedAuthenticator = "totp"` - `const OrganizationMfaConfigAllowedAuthenticatorBiometrics OrganizationMfaConfigAllowedAuthenticator = "biometrics"` - `const OrganizationMfaConfigAllowedAuthenticatorSecurityKey OrganizationMfaConfigAllowedAuthenticator = "security_key"` - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `MfaRequiredForAllApps bool` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `Name string` The name of your Zero Trust organization. - `SessionDuration string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UIReadOnlyToggleReason string` A description of the reason why the UI read only field is being toggled. - `UserSeatExpirationInactiveTime string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `WARPAuthSessionDuration string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) organization, err := client.ZeroTrust.Organizations.Update(context.TODO(), zero_trust.OrganizationUpdateParams{ }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", organization.AutoRedirectToIdentity) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Revoke all Access tokens for a user `client.ZeroTrust.Organizations.RevokeUsers(ctx, params) (*OrganizationRevokeUsersResponse, error)` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations/revoke_user` Revokes a user's access across all applications. ### Parameters - `params OrganizationRevokeUsersParams` - `Email param.Field[string]` Body param: The email of the user to revoke. - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `QueryDevices param.Field[bool]` Query param: When set to `true`, all devices associated with the user will be revoked. - `QueryDevices param.Field[bool]` Query param: When set to `true`, all devices associated with the user will be revoked. - `UserUID param.Field[string]` Body param: The uuid of the user to revoke. - `WARPSessionReauth param.Field[bool]` Body param: When set to `true`, the user will be required to re-authenticate to WARP for all Gateway policies that enforce a WARP client session duration. When `false`, the user’s WARP session will remain active ### Returns - `type OrganizationRevokeUsersResponse bool` - `const OrganizationRevokeUsersResponseTrue OrganizationRevokeUsersResponse = true` - `const OrganizationRevokeUsersResponseFalse OrganizationRevokeUsersResponse = false` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Organizations.RevokeUsers(context.TODO(), zero_trust.OrganizationRevokeUsersParams{ Email: cloudflare.F("test@example.com"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response) } ``` #### Response ```json { "result": true, "success": true } ``` ## Domain Types ### Login Design - `type LoginDesign struct{…}` - `BackgroundColor string` The background color on your login page. - `FooterText string` The text at the bottom of your login page. - `HeaderText string` The text at the top of your login page. - `LogoPath string` The URL of the logo on your login page. - `TextColor string` The text color on your login page. ### Organization - `type Organization struct{…}` - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `AuthDomain string` The unique subdomain assigned to your Zero Trust organization. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. - `CustomPages OrganizationCustomPages` - `Forbidden string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `IdentityDenied string` The uid of the custom page to use when a user is denied access. - `DenyUnmatchedRequests bool` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `DenyUnmatchedRequestsExemptedZoneNames []string` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `IsUIReadOnly bool` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `LoginDesign LoginDesign` - `BackgroundColor string` The background color on your login page. - `FooterText string` The text at the bottom of your login page. - `HeaderText string` The text at the top of your login page. - `LogoPath string` The URL of the logo on your login page. - `TextColor string` The text color on your login page. - `MfaConfig OrganizationMfaConfig` Configures multi-factor authentication (MFA) settings for an organization. - `AllowedAuthenticators []OrganizationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const OrganizationMfaConfigAllowedAuthenticatorTotp OrganizationMfaConfigAllowedAuthenticator = "totp"` - `const OrganizationMfaConfigAllowedAuthenticatorBiometrics OrganizationMfaConfigAllowedAuthenticator = "biometrics"` - `const OrganizationMfaConfigAllowedAuthenticatorSecurityKey OrganizationMfaConfigAllowedAuthenticator = "security_key"` - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `MfaRequiredForAllApps bool` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `Name string` The name of your Zero Trust organization. - `SessionDuration string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UIReadOnlyToggleReason string` A description of the reason why the UI read only field is being toggled. - `UserSeatExpirationInactiveTime string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `WARPAuthSessionDuration string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. # DOH ## Get your Zero Trust organization DoH settings `client.ZeroTrust.Organizations.DOH.Get(ctx, query) (*OrganizationDOHGetResponse, error)` **get** `/accounts/{account_id}/access/organizations/doh` Returns the DoH settings for your Zero Trust organization. ### Parameters - `query OrganizationDOHGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type OrganizationDOHGetResponse struct{…}` - `ID string` The ID of the service token. - `ClientID string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `DOHJWTDuration string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. - `Duration string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `ExpiresAt Time` - `Name string` The name of the service token. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) doh, err := client.ZeroTrust.Organizations.DOH.Get(context.TODO(), zero_trust.OrganizationDOHGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", doh.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "doh_jwt_duration": "800h", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update your Zero Trust organization DoH settings `client.ZeroTrust.Organizations.DOH.Update(ctx, params) (*OrganizationDOHUpdateResponse, error)` **put** `/accounts/{account_id}/access/organizations/doh` Updates the DoH settings for your Zero Trust organization. ### Parameters - `params OrganizationDOHUpdateParams` - `AccountID param.Field[string]` Path param: Identifier. - `DOHJWTDuration param.Field[string]` Body param: The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `ServiceTokenID param.Field[string]` Body param: The uuid of the service token you want to use for DoH authentication ### Returns - `type OrganizationDOHUpdateResponse struct{…}` - `ID string` The ID of the service token. - `ClientID string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `DOHJWTDuration string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `Duration string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `ExpiresAt Time` - `Name string` The name of the service token. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) doh, err := client.ZeroTrust.Organizations.DOH.Update(context.TODO(), zero_trust.OrganizationDOHUpdateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", doh.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "doh_jwt_duration": "800h", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` # Seats ## Update a user seat `client.ZeroTrust.Seats.Edit(ctx, params) (*SinglePage[Seat], error)` **patch** `/accounts/{account_id}/access/seats` Removes a user from a Zero Trust seat when both `access_seat` and `gateway_seat` are set to false. ### Parameters - `params SeatEditParams` - `AccountID param.Field[string]` Path param: Identifier. - `Body param.Field[[]SeatEditParamsBody]` Body param - `AccessSeat bool` True if the seat is part of Access. - `GatewaySeat bool` True if the seat is part of Gateway. - `SeatUID string` The unique API identifier for the Zero Trust seat. ### Returns - `type Seat struct{…}` - `AccessSeat bool` True if the seat is part of Access. - `CreatedAt Time` - `GatewaySeat bool` True if the seat is part of Gateway. - `SeatUID string` The unique API identifier for the Zero Trust seat. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Seats.Edit(context.TODO(), zero_trust.SeatEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: []zero_trust.SeatEditParamsBody{zero_trust.SeatEditParamsBody{ AccessSeat: cloudflare.F(false), GatewaySeat: cloudflare.F(false), SeatUID: cloudflare.F("f174e90a-fafe-4643-bbbc-4a0ed4fc8415"), }}, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "access_seat": false, "created_at": "2014-01-01T05:20:00.12345Z", "gateway_seat": false, "seat_uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Seat - `type Seat struct{…}` - `AccessSeat bool` True if the seat is part of Access. - `CreatedAt Time` - `GatewaySeat bool` True if the seat is part of Gateway. - `SeatUID string` The unique API identifier for the Zero Trust seat. - `UpdatedAt Time` # Access # AI Controls # Mcp # Portals ## List MCP Portals `client.ZeroTrust.Access.AIControls.Mcp.Portals.List(ctx, params) (*V4PagePaginationArray[AccessAIControlMcpPortalListResponse], error)` **get** `/accounts/{account_id}/access/ai-controls/mcp/portals` Lists all MCP portals configured for the account. ### Parameters - `params AccessAIControlMcpPortalListParams` - `AccountID param.Field[string]` Path param - `Page param.Field[int64]` Query param - `PerPage param.Field[int64]` Query param - `Search param.Field[string]` Query param: Search by id, name, hostname ### Returns - `type AccessAIControlMcpPortalListResponse struct{…}` - `ID string` portal id - `Hostname string` - `Name string` - `Servers []AccessAIControlMcpPortalListResponseServer` - `ID string` server id - `AuthType AccessAIControlMcpPortalListResponseServersAuthType` - `const AccessAIControlMcpPortalListResponseServersAuthTypeOAuth AccessAIControlMcpPortalListResponseServersAuthType = "oauth"` - `const AccessAIControlMcpPortalListResponseServersAuthTypeBearer AccessAIControlMcpPortalListResponseServersAuthType = "bearer"` - `const AccessAIControlMcpPortalListResponseServersAuthTypeUnauthenticated AccessAIControlMcpPortalListResponseServersAuthType = "unauthenticated"` - `Hostname string` - `Name string` - `Prompts []map[string, unknown]` - `Tools []map[string, unknown]` - `UpdatedPrompts []map[string, AccessAIControlMcpPortalListResponseServersUpdatedPromptsUnion]` - `UnionFloat` - `UnionString` - `UpdatedTools []map[string, AccessAIControlMcpPortalListResponseServersUpdatedToolsUnion]` - `UnionFloat` - `UnionString` - `CreatedAt Time` - `CreatedBy string` - `DefaultDisabled bool` - `Description string` - `Error string` - `LastSuccessfulSync Time` - `LastSynced Time` - `ModifiedAt Time` - `ModifiedBy string` - `OnBehalf bool` - `Status string` - `AllowCodeMode bool` Allow remote code execution in Dynamic Workers (beta) - `CreatedAt Time` - `CreatedBy string` - `Description string` - `ModifiedAt Time` - `ModifiedBy string` - `SecureWebGateway bool` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.AIControls.Mcp.Portals.List(context.TODO(), zero_trust.AccessAIControlMcpPortalListParams{ AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "result": [ { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "servers": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "updated_prompts": [ { "foo": 0 } ], "updated_tools": [ { "foo": 0 } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "default_disabled": true, "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "on_behalf": true, "status": "status" } ], "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false } ], "success": true } ``` ## Create a new MCP Portal `client.ZeroTrust.Access.AIControls.Mcp.Portals.New(ctx, params) (*AccessAIControlMcpPortalNewResponse, error)` **post** `/accounts/{account_id}/access/ai-controls/mcp/portals` Creates a new MCP portal for managing AI tool access through Cloudflare Access. ### Parameters - `params AccessAIControlMcpPortalNewParams` - `AccountID param.Field[string]` Path param - `ID param.Field[string]` Body param: portal id - `Hostname param.Field[string]` Body param - `Name param.Field[string]` Body param - `AllowCodeMode param.Field[bool]` Body param: Allow remote code execution in Dynamic Workers (beta) - `Description param.Field[string]` Body param - `SecureWebGateway param.Field[bool]` Body param: Route outbound MCP traffic through Zero Trust Secure Web Gateway - `Servers param.Field[[]AccessAIControlMcpPortalNewParamsServer]` Body param - `ServerID string` server id - `DefaultDisabled bool` - `OnBehalf bool` - `UpdatedPrompts []AccessAIControlMcpPortalNewParamsServersUpdatedPrompt` - `Name string` - `Alias string` - `Description string` - `Enabled bool` - `UpdatedTools []AccessAIControlMcpPortalNewParamsServersUpdatedTool` - `Name string` - `Alias string` - `Description string` - `Enabled bool` ### Returns - `type AccessAIControlMcpPortalNewResponse struct{…}` - `ID string` portal id - `Hostname string` - `Name string` - `AllowCodeMode bool` Allow remote code execution in Dynamic Workers (beta) - `CreatedAt Time` - `CreatedBy string` - `Description string` - `ModifiedAt Time` - `ModifiedBy string` - `SecureWebGateway bool` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) portal, err := client.ZeroTrust.Access.AIControls.Mcp.Portals.New(context.TODO(), zero_trust.AccessAIControlMcpPortalNewParams{ AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"), ID: cloudflare.F("my-mcp-portal"), Hostname: cloudflare.F("exmaple.com"), Name: cloudflare.F("My MCP Portal"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", portal.ID) } ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Read details of an MCP Portal `client.ZeroTrust.Access.AIControls.Mcp.Portals.Read(ctx, id, query) (*AccessAIControlMcpPortalReadResponse, error)` **get** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Read details of an MCP Portal ### Parameters - `id string` portal id - `query AccessAIControlMcpPortalReadParams` - `AccountID param.Field[string]` ### Returns - `type AccessAIControlMcpPortalReadResponse struct{…}` - `ID string` portal id - `Hostname string` - `Name string` - `Servers []AccessAIControlMcpPortalReadResponseServer` - `ID string` server id - `AuthType AccessAIControlMcpPortalReadResponseServersAuthType` - `const AccessAIControlMcpPortalReadResponseServersAuthTypeOAuth AccessAIControlMcpPortalReadResponseServersAuthType = "oauth"` - `const AccessAIControlMcpPortalReadResponseServersAuthTypeBearer AccessAIControlMcpPortalReadResponseServersAuthType = "bearer"` - `const AccessAIControlMcpPortalReadResponseServersAuthTypeUnauthenticated AccessAIControlMcpPortalReadResponseServersAuthType = "unauthenticated"` - `Hostname string` - `Name string` - `Prompts []map[string, unknown]` - `Tools []map[string, unknown]` - `UpdatedPrompts []map[string, AccessAIControlMcpPortalReadResponseServersUpdatedPromptsUnion]` - `UnionFloat` - `UnionString` - `UpdatedTools []map[string, AccessAIControlMcpPortalReadResponseServersUpdatedToolsUnion]` - `UnionFloat` - `UnionString` - `CreatedAt Time` - `CreatedBy string` - `DefaultDisabled bool` - `Description string` - `Error string` - `LastSuccessfulSync Time` - `LastSynced Time` - `ModifiedAt Time` - `ModifiedBy string` - `OnBehalf bool` - `Status string` - `AllowCodeMode bool` Allow remote code execution in Dynamic Workers (beta) - `CreatedAt Time` - `CreatedBy string` - `Description string` - `ModifiedAt Time` - `ModifiedBy string` - `SecureWebGateway bool` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Access.AIControls.Mcp.Portals.Read( context.TODO(), "my-mcp-portal", zero_trust.AccessAIControlMcpPortalReadParams{ AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.ID) } ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "servers": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "updated_prompts": [ { "foo": 0 } ], "updated_tools": [ { "foo": 0 } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "default_disabled": true, "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "on_behalf": true, "status": "status" } ], "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Update a MCP Portal `client.ZeroTrust.Access.AIControls.Mcp.Portals.Update(ctx, id, params) (*AccessAIControlMcpPortalUpdateResponse, error)` **put** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Updates an MCP portal configuration. ### Parameters - `id string` portal id - `params AccessAIControlMcpPortalUpdateParams` - `AccountID param.Field[string]` Path param - `AllowCodeMode param.Field[bool]` Body param: Allow remote code execution in Dynamic Workers (beta) - `Description param.Field[string]` Body param - `Hostname param.Field[string]` Body param - `Name param.Field[string]` Body param - `SecureWebGateway param.Field[bool]` Body param: Route outbound MCP traffic through Zero Trust Secure Web Gateway - `Servers param.Field[[]AccessAIControlMcpPortalUpdateParamsServer]` Body param - `ServerID string` server id - `DefaultDisabled bool` - `OnBehalf bool` - `UpdatedPrompts []AccessAIControlMcpPortalUpdateParamsServersUpdatedPrompt` - `Name string` - `Alias string` - `Description string` - `Enabled bool` - `UpdatedTools []AccessAIControlMcpPortalUpdateParamsServersUpdatedTool` - `Name string` - `Alias string` - `Description string` - `Enabled bool` ### Returns - `type AccessAIControlMcpPortalUpdateResponse struct{…}` - `ID string` portal id - `Hostname string` - `Name string` - `AllowCodeMode bool` Allow remote code execution in Dynamic Workers (beta) - `CreatedAt Time` - `CreatedBy string` - `Description string` - `ModifiedAt Time` - `ModifiedBy string` - `SecureWebGateway bool` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) portal, err := client.ZeroTrust.Access.AIControls.Mcp.Portals.Update( context.TODO(), "my-mcp-portal", zero_trust.AccessAIControlMcpPortalUpdateParams{ AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", portal.ID) } ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Delete a MCP Portal `client.ZeroTrust.Access.AIControls.Mcp.Portals.Delete(ctx, id, body) (*AccessAIControlMcpPortalDeleteResponse, error)` **delete** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Deletes an MCP portal from the account. ### Parameters - `id string` portal id - `body AccessAIControlMcpPortalDeleteParams` - `AccountID param.Field[string]` ### Returns - `type AccessAIControlMcpPortalDeleteResponse struct{…}` - `ID string` portal id - `Hostname string` - `Name string` - `AllowCodeMode bool` Allow remote code execution in Dynamic Workers (beta) - `CreatedAt Time` - `CreatedBy string` - `Description string` - `ModifiedAt Time` - `ModifiedBy string` - `SecureWebGateway bool` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) portal, err := client.ZeroTrust.Access.AIControls.Mcp.Portals.Delete( context.TODO(), "my-mcp-portal", zero_trust.AccessAIControlMcpPortalDeleteParams{ AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", portal.ID) } ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` # Servers ## List MCP Servers `client.ZeroTrust.Access.AIControls.Mcp.Servers.List(ctx, params) (*V4PagePaginationArray[AccessAIControlMcpServerListResponse], error)` **get** `/accounts/{account_id}/access/ai-controls/mcp/servers` Lists all MCP portals configured for the account. ### Parameters - `params AccessAIControlMcpServerListParams` - `AccountID param.Field[string]` Path param - `Page param.Field[int64]` Query param - `PerPage param.Field[int64]` Query param - `Search param.Field[string]` Query param: Search by id, name ### Returns - `type AccessAIControlMcpServerListResponse struct{…}` - `ID string` server id - `AuthType AccessAIControlMcpServerListResponseAuthType` - `const AccessAIControlMcpServerListResponseAuthTypeOAuth AccessAIControlMcpServerListResponseAuthType = "oauth"` - `const AccessAIControlMcpServerListResponseAuthTypeBearer AccessAIControlMcpServerListResponseAuthType = "bearer"` - `const AccessAIControlMcpServerListResponseAuthTypeUnauthenticated AccessAIControlMcpServerListResponseAuthType = "unauthenticated"` - `Hostname string` - `Name string` - `Prompts []map[string, unknown]` - `Tools []map[string, unknown]` - `CreatedAt Time` - `CreatedBy string` - `Description string` - `Error string` - `LastSuccessfulSync Time` - `LastSynced Time` - `ModifiedAt Time` - `ModifiedBy string` - `Status string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.AIControls.Mcp.Servers.List(context.TODO(), zero_trust.AccessAIControlMcpServerListParams{ AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "result": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" } ], "success": true } ``` ## Create a new MCP Server `client.ZeroTrust.Access.AIControls.Mcp.Servers.New(ctx, params) (*AccessAIControlMcpServerNewResponse, error)` **post** `/accounts/{account_id}/access/ai-controls/mcp/servers` Creates a new MCP portal for managing AI tool access through Cloudflare Access. ### Parameters - `params AccessAIControlMcpServerNewParams` - `AccountID param.Field[string]` Path param - `ID param.Field[string]` Body param: server id - `AuthType param.Field[AccessAIControlMcpServerNewParamsAuthType]` Body param - `const AccessAIControlMcpServerNewParamsAuthTypeOAuth AccessAIControlMcpServerNewParamsAuthType = "oauth"` - `const AccessAIControlMcpServerNewParamsAuthTypeBearer AccessAIControlMcpServerNewParamsAuthType = "bearer"` - `const AccessAIControlMcpServerNewParamsAuthTypeUnauthenticated AccessAIControlMcpServerNewParamsAuthType = "unauthenticated"` - `Hostname param.Field[string]` Body param - `Name param.Field[string]` Body param - `AuthCredentials param.Field[string]` Body param - `Description param.Field[string]` Body param ### Returns - `type AccessAIControlMcpServerNewResponse struct{…}` - `ID string` server id - `AuthType AccessAIControlMcpServerNewResponseAuthType` - `const AccessAIControlMcpServerNewResponseAuthTypeOAuth AccessAIControlMcpServerNewResponseAuthType = "oauth"` - `const AccessAIControlMcpServerNewResponseAuthTypeBearer AccessAIControlMcpServerNewResponseAuthType = "bearer"` - `const AccessAIControlMcpServerNewResponseAuthTypeUnauthenticated AccessAIControlMcpServerNewResponseAuthType = "unauthenticated"` - `Hostname string` - `Name string` - `Prompts []map[string, unknown]` - `Tools []map[string, unknown]` - `CreatedAt Time` - `CreatedBy string` - `Description string` - `Error string` - `LastSuccessfulSync Time` - `LastSynced Time` - `ModifiedAt Time` - `ModifiedBy string` - `Status string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) server, err := client.ZeroTrust.Access.AIControls.Mcp.Servers.New(context.TODO(), zero_trust.AccessAIControlMcpServerNewParams{ AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"), ID: cloudflare.F("my-mcp-server"), AuthType: cloudflare.F(zero_trust.AccessAIControlMcpServerNewParamsAuthTypeUnauthenticated), Hostname: cloudflare.F("https://example.com/mcp"), Name: cloudflare.F("My MCP Server"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", server.ID) } ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Read the details of a MCP Server `client.ZeroTrust.Access.AIControls.Mcp.Servers.Read(ctx, id, query) (*AccessAIControlMcpServerReadResponse, error)` **get** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Retrieves gateway configuration for MCP portals. ### Parameters - `id string` server id - `query AccessAIControlMcpServerReadParams` - `AccountID param.Field[string]` ### Returns - `type AccessAIControlMcpServerReadResponse struct{…}` - `ID string` server id - `AuthType AccessAIControlMcpServerReadResponseAuthType` - `const AccessAIControlMcpServerReadResponseAuthTypeOAuth AccessAIControlMcpServerReadResponseAuthType = "oauth"` - `const AccessAIControlMcpServerReadResponseAuthTypeBearer AccessAIControlMcpServerReadResponseAuthType = "bearer"` - `const AccessAIControlMcpServerReadResponseAuthTypeUnauthenticated AccessAIControlMcpServerReadResponseAuthType = "unauthenticated"` - `Hostname string` - `Name string` - `Prompts []map[string, unknown]` - `Tools []map[string, unknown]` - `CreatedAt Time` - `CreatedBy string` - `Description string` - `Error string` - `LastSuccessfulSync Time` - `LastSynced Time` - `ModifiedAt Time` - `ModifiedBy string` - `Status string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Access.AIControls.Mcp.Servers.Read( context.TODO(), "my-mcp-server", zero_trust.AccessAIControlMcpServerReadParams{ AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.ID) } ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Update a MCP Server `client.ZeroTrust.Access.AIControls.Mcp.Servers.Update(ctx, id, params) (*AccessAIControlMcpServerUpdateResponse, error)` **put** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Updates an MCP portal configuration. ### Parameters - `id string` server id - `params AccessAIControlMcpServerUpdateParams` - `AccountID param.Field[string]` Path param - `AuthCredentials param.Field[string]` Body param - `Description param.Field[string]` Body param - `Name param.Field[string]` Body param ### Returns - `type AccessAIControlMcpServerUpdateResponse struct{…}` - `ID string` server id - `AuthType AccessAIControlMcpServerUpdateResponseAuthType` - `const AccessAIControlMcpServerUpdateResponseAuthTypeOAuth AccessAIControlMcpServerUpdateResponseAuthType = "oauth"` - `const AccessAIControlMcpServerUpdateResponseAuthTypeBearer AccessAIControlMcpServerUpdateResponseAuthType = "bearer"` - `const AccessAIControlMcpServerUpdateResponseAuthTypeUnauthenticated AccessAIControlMcpServerUpdateResponseAuthType = "unauthenticated"` - `Hostname string` - `Name string` - `Prompts []map[string, unknown]` - `Tools []map[string, unknown]` - `CreatedAt Time` - `CreatedBy string` - `Description string` - `Error string` - `LastSuccessfulSync Time` - `LastSynced Time` - `ModifiedAt Time` - `ModifiedBy string` - `Status string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) server, err := client.ZeroTrust.Access.AIControls.Mcp.Servers.Update( context.TODO(), "my-mcp-server", zero_trust.AccessAIControlMcpServerUpdateParams{ AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", server.ID) } ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Delete a MCP Server `client.ZeroTrust.Access.AIControls.Mcp.Servers.Delete(ctx, id, body) (*AccessAIControlMcpServerDeleteResponse, error)` **delete** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Deletes an MCP portal from the account. ### Parameters - `id string` server id - `body AccessAIControlMcpServerDeleteParams` - `AccountID param.Field[string]` ### Returns - `type AccessAIControlMcpServerDeleteResponse struct{…}` - `ID string` server id - `AuthType AccessAIControlMcpServerDeleteResponseAuthType` - `const AccessAIControlMcpServerDeleteResponseAuthTypeOAuth AccessAIControlMcpServerDeleteResponseAuthType = "oauth"` - `const AccessAIControlMcpServerDeleteResponseAuthTypeBearer AccessAIControlMcpServerDeleteResponseAuthType = "bearer"` - `const AccessAIControlMcpServerDeleteResponseAuthTypeUnauthenticated AccessAIControlMcpServerDeleteResponseAuthType = "unauthenticated"` - `Hostname string` - `Name string` - `Prompts []map[string, unknown]` - `Tools []map[string, unknown]` - `CreatedAt Time` - `CreatedBy string` - `Description string` - `Error string` - `LastSuccessfulSync Time` - `LastSynced Time` - `ModifiedAt Time` - `ModifiedBy string` - `Status string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) server, err := client.ZeroTrust.Access.AIControls.Mcp.Servers.Delete( context.TODO(), "my-mcp-server", zero_trust.AccessAIControlMcpServerDeleteParams{ AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", server.ID) } ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Sync MCP Server Capabilities `client.ZeroTrust.Access.AIControls.Mcp.Servers.Sync(ctx, id, body) (*AccessAIControlMcpServerSyncResponse, error)` **post** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}/sync` Syncs an MCP server's tool catalog with the portal. ### Parameters - `id string` portal id - `body AccessAIControlMcpServerSyncParams` - `AccountID param.Field[string]` ### Returns - `type AccessAIControlMcpServerSyncResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Access.AIControls.Mcp.Servers.Sync( context.TODO(), "my-mcp-portal", zero_trust.AccessAIControlMcpServerSyncParams{ AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response) } ``` #### Response ```json { "result": {}, "success": true } ``` # Gateway CA ## List SSH Certificate Authorities (CA) `client.ZeroTrust.Access.GatewayCA.List(ctx, query) (*SinglePage[AccessGatewayCAListResponse], error)` **get** `/accounts/{account_id}/access/gateway_ca` Lists SSH Certificate Authorities (CA). ### Parameters - `query AccessGatewayCAListParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessGatewayCAListResponse struct{…}` - `ID string` The key ID of this certificate. - `PublicKey string` The public key of this certificate. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.GatewayCA.List(context.TODO(), zero_trust.AccessGatewayCAListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "id", "public_key": "public_key" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Add a new SSH Certificate Authority (CA) `client.ZeroTrust.Access.GatewayCA.New(ctx, body) (*AccessGatewayCANewResponse, error)` **post** `/accounts/{account_id}/access/gateway_ca` Adds a new SSH Certificate Authority (CA). ### Parameters - `body AccessGatewayCANewParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessGatewayCANewResponse struct{…}` - `ID string` The key ID of this certificate. - `PublicKey string` The public key of this certificate. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayCA, err := client.ZeroTrust.Access.GatewayCA.New(context.TODO(), zero_trust.AccessGatewayCANewParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayCA.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "public_key": "public_key" } } ``` ## Delete an SSH Certificate Authority (CA) `client.ZeroTrust.Access.GatewayCA.Delete(ctx, certificateID, body) (*AccessGatewayCADeleteResponse, error)` **delete** `/accounts/{account_id}/access/gateway_ca/{certificate_id}` Deletes an SSH Certificate Authority. ### Parameters - `certificateID string` UUID. - `body AccessGatewayCADeleteParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessGatewayCADeleteResponse struct{…}` - `ID string` UUID. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayCA, err := client.ZeroTrust.Access.GatewayCA.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessGatewayCADeleteParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayCA.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` # Infrastructure # Targets ## List all targets `client.ZeroTrust.Access.Infrastructure.Targets.List(ctx, params) (*V4PagePaginationArray[AccessInfrastructureTargetListResponse], error)` **get** `/accounts/{account_id}/infrastructure/targets` Lists and sorts an account’s targets. Filters are optional and are ANDed together. ### Parameters - `params AccessInfrastructureTargetListParams` - `AccountID param.Field[string]` Path param: Account identifier - `CreatedAfter param.Field[Time]` Query param: Date and time at which the target was created after (inclusive) - `CreatedBefore param.Field[Time]` Query param: Date and time at which the target was created before (inclusive) - `Direction param.Field[AccessInfrastructureTargetListParamsDirection]` Query param: The sorting direction. - `const AccessInfrastructureTargetListParamsDirectionAsc AccessInfrastructureTargetListParamsDirection = "asc"` - `const AccessInfrastructureTargetListParamsDirectionDesc AccessInfrastructureTargetListParamsDirection = "desc"` - `Hostname param.Field[string]` Query param: Hostname of a target - `HostnameContains param.Field[string]` Query param: Partial match to the hostname of a target - `IPLike param.Field[string]` Query param: Filters for targets whose IP addresses look like the specified string. Supports `*` as a wildcard character - `IPV4 param.Field[string]` Query param: IPv4 address of the target - `IPV6 param.Field[string]` Query param: IPv6 address of the target - `IPs param.Field[[]string]` Query param: Filters for targets that have any of the following IP addresses. Specify `ips` multiple times in query parameter to build list of candidates. - `IPV4End param.Field[string]` Query param: Defines an IPv4 filter range's ending value (inclusive). Requires `ipv4_start` to be specified as well. - `IPV4Start param.Field[string]` Query param: Defines an IPv4 filter range's starting value (inclusive). Requires `ipv4_end` to be specified as well. - `IPV6End param.Field[string]` Query param: Defines an IPv6 filter range's ending value (inclusive). Requires `ipv6_start` to be specified as well. - `IPV6Start param.Field[string]` Query param: Defines an IPv6 filter range's starting value (inclusive). Requires `ipv6_end` to be specified as well. - `ModifiedAfter param.Field[Time]` Query param: Date and time at which the target was modified after (inclusive) - `ModifiedBefore param.Field[Time]` Query param: Date and time at which the target was modified before (inclusive) - `Order param.Field[AccessInfrastructureTargetListParamsOrder]` Query param: The field to sort by. - `const AccessInfrastructureTargetListParamsOrderHostname AccessInfrastructureTargetListParamsOrder = "hostname"` - `const AccessInfrastructureTargetListParamsOrderCreatedAt AccessInfrastructureTargetListParamsOrder = "created_at"` - `Page param.Field[int64]` Query param: Current page in the response - `PerPage param.Field[int64]` Query param: Max amount of entries returned per page - `TargetIDs param.Field[[]string]` Query param: Filters for targets that have any of the following UUIDs. Specify `target_ids` multiple times in query parameter to build list of candidates. - `VirtualNetworkID param.Field[string]` Query param: Private virtual network identifier of the target ### Returns - `type AccessInfrastructureTargetListResponse struct{…}` - `ID string` Target identifier - `CreatedAt Time` Date and time at which the target was created - `Hostname string` A non-unique field that refers to a target - `IP AccessInfrastructureTargetListResponseIP` The IPv4/IPv6 address that identifies where to reach a target - `IPV4 AccessInfrastructureTargetListResponseIPIPV4` The target's IPv4 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `IPV6 AccessInfrastructureTargetListResponseIPIPV6` The target's IPv6 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ModifiedAt Time` Date and time at which the target was modified ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Infrastructure.Targets.List(context.TODO(), zero_trust.AccessInfrastructureTargetListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get target `client.ZeroTrust.Access.Infrastructure.Targets.Get(ctx, targetID, query) (*AccessInfrastructureTargetGetResponse, error)` **get** `/accounts/{account_id}/infrastructure/targets/{target_id}` Get target ### Parameters - `targetID string` Target identifier - `query AccessInfrastructureTargetGetParams` - `AccountID param.Field[string]` Account identifier ### Returns - `type AccessInfrastructureTargetGetResponse struct{…}` - `ID string` Target identifier - `CreatedAt Time` Date and time at which the target was created - `Hostname string` A non-unique field that refers to a target - `IP AccessInfrastructureTargetGetResponseIP` The IPv4/IPv6 address that identifies where to reach a target - `IPV4 AccessInfrastructureTargetGetResponseIPIPV4` The target's IPv4 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `IPV6 AccessInfrastructureTargetGetResponseIPIPV6` The target's IPv6 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ModifiedAt Time` Date and time at which the target was modified ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) target, err := client.ZeroTrust.Access.Infrastructure.Targets.Get( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.AccessInfrastructureTargetGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", target.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Create new target `client.ZeroTrust.Access.Infrastructure.Targets.New(ctx, params) (*AccessInfrastructureTargetNewResponse, error)` **post** `/accounts/{account_id}/infrastructure/targets` Create new target ### Parameters - `params AccessInfrastructureTargetNewParams` - `AccountID param.Field[string]` Path param: Account identifier - `Hostname param.Field[string]` Body param: A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `IP param.Field[AccessInfrastructureTargetNewParamsIP]` Body param: The IPv4/IPv6 address that identifies where to reach a target - `IPV4 AccessInfrastructureTargetNewParamsIPIPV4` The target's IPv4 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `IPV6 AccessInfrastructureTargetNewParamsIPIPV6` The target's IPv6 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `type AccessInfrastructureTargetNewResponse struct{…}` - `ID string` Target identifier - `CreatedAt Time` Date and time at which the target was created - `Hostname string` A non-unique field that refers to a target - `IP AccessInfrastructureTargetNewResponseIP` The IPv4/IPv6 address that identifies where to reach a target - `IPV4 AccessInfrastructureTargetNewResponseIPIPV4` The target's IPv4 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `IPV6 AccessInfrastructureTargetNewResponseIPIPV6` The target's IPv6 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ModifiedAt Time` Date and time at which the target was modified ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) target, err := client.ZeroTrust.Access.Infrastructure.Targets.New(context.TODO(), zero_trust.AccessInfrastructureTargetNewParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), Hostname: cloudflare.F("infra-access-target"), IP: cloudflare.F(zero_trust.AccessInfrastructureTargetNewParamsIP{ }), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", target.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Update target `client.ZeroTrust.Access.Infrastructure.Targets.Update(ctx, targetID, params) (*AccessInfrastructureTargetUpdateResponse, error)` **put** `/accounts/{account_id}/infrastructure/targets/{target_id}` Update target ### Parameters - `targetID string` Target identifier - `params AccessInfrastructureTargetUpdateParams` - `AccountID param.Field[string]` Path param: Account identifier - `Hostname param.Field[string]` Body param: A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `IP param.Field[AccessInfrastructureTargetUpdateParamsIP]` Body param: The IPv4/IPv6 address that identifies where to reach a target - `IPV4 AccessInfrastructureTargetUpdateParamsIPIPV4` The target's IPv4 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `IPV6 AccessInfrastructureTargetUpdateParamsIPIPV6` The target's IPv6 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `type AccessInfrastructureTargetUpdateResponse struct{…}` - `ID string` Target identifier - `CreatedAt Time` Date and time at which the target was created - `Hostname string` A non-unique field that refers to a target - `IP AccessInfrastructureTargetUpdateResponseIP` The IPv4/IPv6 address that identifies where to reach a target - `IPV4 AccessInfrastructureTargetUpdateResponseIPIPV4` The target's IPv4 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `IPV6 AccessInfrastructureTargetUpdateResponseIPIPV6` The target's IPv6 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ModifiedAt Time` Date and time at which the target was modified ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) target, err := client.ZeroTrust.Access.Infrastructure.Targets.Update( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.AccessInfrastructureTargetUpdateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), Hostname: cloudflare.F("infra-access-target"), IP: cloudflare.F(zero_trust.AccessInfrastructureTargetUpdateParamsIP{ }), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", target.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Delete target `client.ZeroTrust.Access.Infrastructure.Targets.Delete(ctx, targetID, body) error` **delete** `/accounts/{account_id}/infrastructure/targets/{target_id}` Delete target ### Parameters - `targetID string` Target identifier - `body AccessInfrastructureTargetDeleteParams` - `AccountID param.Field[string]` Account identifier ### Example ```go package main import ( "context" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) err := client.ZeroTrust.Access.Infrastructure.Targets.Delete( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.AccessInfrastructureTargetDeleteParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } } ``` ## Create new targets `client.ZeroTrust.Access.Infrastructure.Targets.BulkUpdate(ctx, params) (*SinglePage[AccessInfrastructureTargetBulkUpdateResponse], error)` **put** `/accounts/{account_id}/infrastructure/targets/batch` Adds one or more targets. ### Parameters - `params AccessInfrastructureTargetBulkUpdateParams` - `AccountID param.Field[string]` Path param: Account identifier - `Body param.Field[[]AccessInfrastructureTargetBulkUpdateParamsBody]` Body param - `Hostname string` A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `IP AccessInfrastructureTargetBulkUpdateParamsBodyIP` The IPv4/IPv6 address that identifies where to reach a target - `IPV4 AccessInfrastructureTargetBulkUpdateParamsBodyIPIPV4` The target's IPv4 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `IPV6 AccessInfrastructureTargetBulkUpdateParamsBodyIPIPV6` The target's IPv6 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `type AccessInfrastructureTargetBulkUpdateResponse struct{…}` - `ID string` Target identifier - `CreatedAt Time` Date and time at which the target was created - `Hostname string` A non-unique field that refers to a target - `IP AccessInfrastructureTargetBulkUpdateResponseIP` The IPv4/IPv6 address that identifies where to reach a target - `IPV4 AccessInfrastructureTargetBulkUpdateResponseIPIPV4` The target's IPv4 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `IPV6 AccessInfrastructureTargetBulkUpdateResponseIPIPV6` The target's IPv6 address - `IPAddr string` IP address of the target - `VirtualNetworkID string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ModifiedAt Time` Date and time at which the target was modified ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Infrastructure.Targets.BulkUpdate(context.TODO(), zero_trust.AccessInfrastructureTargetBulkUpdateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), Body: []zero_trust.AccessInfrastructureTargetBulkUpdateParamsBody{zero_trust.AccessInfrastructureTargetBulkUpdateParamsBody{ Hostname: cloudflare.F("infra-access-target"), IP: cloudflare.F(zero_trust.AccessInfrastructureTargetBulkUpdateParamsBodyIP{ }), }}, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } ] } ``` ## Delete targets (Deprecated) `client.ZeroTrust.Access.Infrastructure.Targets.BulkDelete(ctx, body) error` **delete** `/accounts/{account_id}/infrastructure/targets/batch` Removes one or more targets. ### Parameters - `body AccessInfrastructureTargetBulkDeleteParams` - `AccountID param.Field[string]` Account identifier ### Example ```go package main import ( "context" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) err := client.ZeroTrust.Access.Infrastructure.Targets.BulkDelete(context.TODO(), zero_trust.AccessInfrastructureTargetBulkDeleteParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } } ``` ## Delete targets `client.ZeroTrust.Access.Infrastructure.Targets.BulkDeleteV2(ctx, params) error` **post** `/accounts/{account_id}/infrastructure/targets/batch_delete` Removes one or more targets. ### Parameters - `params AccessInfrastructureTargetBulkDeleteV2Params` - `AccountID param.Field[string]` Path param: Account identifier - `TargetIDs param.Field[[]string]` Body param: List of target IDs to bulk delete ### Example ```go package main import ( "context" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) err := client.ZeroTrust.Access.Infrastructure.Targets.BulkDeleteV2(context.TODO(), zero_trust.AccessInfrastructureTargetBulkDeleteV2Params{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), TargetIDs: cloudflare.F([]string{"182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"}), }) if err != nil { panic(err.Error()) } } ``` # Applications ## List Access applications `client.ZeroTrust.Access.Applications.List(ctx, params) (*V4PagePaginationArray[AccessApplicationListResponse], error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps` Lists all Access applications in an account or zone. ### Parameters - `params AccessApplicationListParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `AUD param.Field[string]` Query param: The aud of the app. - `Domain param.Field[string]` Query param: The domain of the app. - `Exact param.Field[bool]` Query param: True for only exact string matches against passed name/domain query parameters. - `Name param.Field[string]` Query param: The name of the app. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. - `Search param.Field[string]` Query param: Search for apps by other listed query parameters. - `TargetAttributes param.Field[string]` Query param: Target Criteria attributes in key=value format. ### Returns - `type AccessApplicationListResponse interface{…}` - `type AccessApplicationListResponseSelfHostedApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type ApplicationType` The application type. - `const ApplicationTypeSelfHosted ApplicationType = "self_hosted"` - `const ApplicationTypeSaaS ApplicationType = "saas"` - `const ApplicationTypeSSH ApplicationType = "ssh"` - `const ApplicationTypeVNC ApplicationType = "vnc"` - `const ApplicationTypeAppLauncher ApplicationType = "app_launcher"` - `const ApplicationTypeWARP ApplicationType = "warp"` - `const ApplicationTypeBISO ApplicationType = "biso"` - `const ApplicationTypeBookmark ApplicationType = "bookmark"` - `const ApplicationTypeDashSSO ApplicationType = "dash_sso"` - `const ApplicationTypeInfrastructure ApplicationType = "infrastructure"` - `const ApplicationTypeRDP ApplicationType = "rdp"` - `const ApplicationTypeMcp ApplicationType = "mcp"` - `const ApplicationTypeMcpPortal ApplicationType = "mcp_portal"` - `const ApplicationTypeProxyEndpoint ApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `AllowAllHeaders bool` Allows all HTTP request headers. - `AllowAllMethods bool` Allows all HTTP request methods. - `AllowAllOrigins bool` Allows all origins. - `AllowCredentials bool` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `AllowedHeaders []AllowedHeaders` Allowed HTTP request headers. - `AllowedMethods []AllowedMethods` Allowed HTTP request methods. - `const AllowedMethodsGet AllowedMethods = "GET"` - `const AllowedMethodsPost AllowedMethods = "POST"` - `const AllowedMethodsHead AllowedMethods = "HEAD"` - `const AllowedMethodsPut AllowedMethods = "PUT"` - `const AllowedMethodsDelete AllowedMethods = "DELETE"` - `const AllowedMethodsConnect AllowedMethods = "CONNECT"` - `const AllowedMethodsOptions AllowedMethods = "OPTIONS"` - `const AllowedMethodsTrace AllowedMethods = "TRACE"` - `const AllowedMethodsPatch AllowedMethods = "PATCH"` - `AllowedOrigins []AllowedOrigins` Allowed origins. - `MaxAge float64` The maximum number of seconds the results of a preflight request can be cached. - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationListResponseSelfHostedApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationListResponseSelfHostedApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationListResponseSelfHostedApplicationDestinationsPublicDestinationType` - `const AccessApplicationListResponseSelfHostedApplicationDestinationsPublicDestinationTypePublic AccessApplicationListResponseSelfHostedApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationType` - `const AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationListResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationListResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationListResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationListResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationListResponseSelfHostedApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationListResponseSelfHostedApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationListResponseSelfHostedApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationListResponseSelfHostedApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationListResponseSelfHostedApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationListResponseSelfHostedApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `Password string` Password used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationHTTPBasicScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"` - `User string` User name used to authenticate with the remote SCIM service. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `Token string` Token used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"` - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AuthorizationURL string` URL used to generate the auth code used during token generation. - `ClientID string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `ClientSecret string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `Scheme SCIMConfigAuthenticationOauth2Scheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"` - `TokenURL string` URL used to generate the token used to authenticate with the remote SCIM service. - `Scopes []string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `type AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Create bool` Whether or not this mapping applies to create (POST) operations. - `Delete bool` Whether or not this mapping applies to DELETE operations. - `Update bool` Whether or not this mapping applies to update (PATCH/PUT) operations. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"` - `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"` - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationListResponseSaaSApplication struct{…}` - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `Policies []AccessApplicationListResponseSaaSApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationListResponseSaaSApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationListResponseSaaSApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SaaSApp AccessApplicationListResponseSaaSApplicationSaaSApp` - `type SAMLSaaSApp struct{…}` - `AuthType SAMLSaaSAppAuthType` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `const SAMLSaaSAppAuthTypeSAML SAMLSaaSAppAuthType = "saml"` - `const SAMLSaaSAppAuthTypeOIDC SAMLSaaSAppAuthType = "oidc"` - `ConsumerServiceURL string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `CustomAttributes []SAMLSaaSAppCustomAttribute` - `FriendlyName string` The SAML FriendlyName of the attribute. - `Name string` The name of the attribute. - `NameFormat SAMLSaaSAppCustomAttributesNameFormat` A globally unique name for an identity or service provider. - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `Required bool` If the attribute is required when building a SAML assertion. - `Source SAMLSaaSAppCustomAttributesSource` - `Name string` The name of the IdP attribute. - `NameByIdP []SAMLSaaSAppCustomAttributesSourceNameByIdP` A mapping from IdP ID to attribute name. - `IdPID string` The UID of the IdP. - `SourceName string` The name of the IdP provided attribute. - `DefaultRelayState string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `IdPEntityID string` The unique identifier for your SaaS application. - `NameIDFormat SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"` - `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"` - `NameIDTransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `PublicKey string` The Access public certificate that will be used to verify your identity. - `SAMLAttributeTransformJsonata string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `SPEntityID string` A globally unique name for an identity or service provider. - `SSOEndpoint string` The endpoint where your SaaS application will send login requests. - `type OIDCSaaSApp struct{…}` - `AccessTokenLifetime string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `AllowPKCEWithoutClientSecret bool` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `AppLauncherURL string` The URL where this applications tile redirects users - `AuthType OIDCSaaSAppAuthType` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `const OIDCSaaSAppAuthTypeSAML OIDCSaaSAppAuthType = "saml"` - `const OIDCSaaSAppAuthTypeOIDC OIDCSaaSAppAuthType = "oidc"` - `ClientID string` The application client id - `ClientSecret string` The application client secret, only returned on POST request. - `CustomClaims []OIDCSaaSAppCustomClaim` - `Name string` The name of the claim. - `Required bool` If the claim is required when building an OIDC token. - `Scope OIDCSaaSAppCustomClaimsScope` The scope of the claim. - `const OIDCSaaSAppCustomClaimsScopeGroups OIDCSaaSAppCustomClaimsScope = "groups"` - `const OIDCSaaSAppCustomClaimsScopeProfile OIDCSaaSAppCustomClaimsScope = "profile"` - `const OIDCSaaSAppCustomClaimsScopeEmail OIDCSaaSAppCustomClaimsScope = "email"` - `const OIDCSaaSAppCustomClaimsScopeOpenid OIDCSaaSAppCustomClaimsScope = "openid"` - `Source OIDCSaaSAppCustomClaimsSource` - `Name string` The name of the IdP claim. - `NameByIdP map[string, string]` A mapping from IdP ID to claim name. - `GrantTypes []OIDCSaaSAppGrantType` The OIDC flows supported by this application - `const OIDCSaaSAppGrantTypeAuthorizationCode OIDCSaaSAppGrantType = "authorization_code"` - `const OIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE OIDCSaaSAppGrantType = "authorization_code_with_pkce"` - `const OIDCSaaSAppGrantTypeRefreshTokens OIDCSaaSAppGrantType = "refresh_tokens"` - `const OIDCSaaSAppGrantTypeHybrid OIDCSaaSAppGrantType = "hybrid"` - `const OIDCSaaSAppGrantTypeImplicit OIDCSaaSAppGrantType = "implicit"` - `GroupFilterRegex string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `HybridAndImplicitOptions OIDCSaaSAppHybridAndImplicitOptions` - `ReturnAccessTokenFromAuthorizationEndpoint bool` If an Access Token should be returned from the OIDC Authorization endpoint - `ReturnIDTokenFromAuthorizationEndpoint bool` If an ID Token should be returned from the OIDC Authorization endpoint - `PublicKey string` The Access public certificate that will be used to verify your identity. - `RedirectURIs []string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `RefreshTokenOptions OIDCSaaSAppRefreshTokenOptions` - `Lifetime string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `Scopes []OIDCSaaSAppScope` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `const OIDCSaaSAppScopeOpenid OIDCSaaSAppScope = "openid"` - `const OIDCSaaSAppScopeGroups OIDCSaaSAppScope = "groups"` - `const OIDCSaaSAppScopeEmail OIDCSaaSAppScope = "email"` - `const OIDCSaaSAppScopeProfile OIDCSaaSAppScope = "profile"` - `SCIMConfig AccessApplicationListResponseSaaSApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `Type ApplicationType` The application type. - `type AccessApplicationListResponseBrowserSSHApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type AccessApplicationListResponseBrowserSSHApplicationType` The application type. - `const AccessApplicationListResponseBrowserSSHApplicationTypeSelfHosted AccessApplicationListResponseBrowserSSHApplicationType = "self_hosted"` - `const AccessApplicationListResponseBrowserSSHApplicationTypeSaaS AccessApplicationListResponseBrowserSSHApplicationType = "saas"` - `const AccessApplicationListResponseBrowserSSHApplicationTypeSSH AccessApplicationListResponseBrowserSSHApplicationType = "ssh"` - `const AccessApplicationListResponseBrowserSSHApplicationTypeVNC AccessApplicationListResponseBrowserSSHApplicationType = "vnc"` - `const AccessApplicationListResponseBrowserSSHApplicationTypeAppLauncher AccessApplicationListResponseBrowserSSHApplicationType = "app_launcher"` - `const AccessApplicationListResponseBrowserSSHApplicationTypeWARP AccessApplicationListResponseBrowserSSHApplicationType = "warp"` - `const AccessApplicationListResponseBrowserSSHApplicationTypeBISO AccessApplicationListResponseBrowserSSHApplicationType = "biso"` - `const AccessApplicationListResponseBrowserSSHApplicationTypeBookmark AccessApplicationListResponseBrowserSSHApplicationType = "bookmark"` - `const AccessApplicationListResponseBrowserSSHApplicationTypeDashSSO AccessApplicationListResponseBrowserSSHApplicationType = "dash_sso"` - `const AccessApplicationListResponseBrowserSSHApplicationTypeInfrastructure AccessApplicationListResponseBrowserSSHApplicationType = "infrastructure"` - `const AccessApplicationListResponseBrowserSSHApplicationTypeRDP AccessApplicationListResponseBrowserSSHApplicationType = "rdp"` - `const AccessApplicationListResponseBrowserSSHApplicationTypeMcp AccessApplicationListResponseBrowserSSHApplicationType = "mcp"` - `const AccessApplicationListResponseBrowserSSHApplicationTypeMcpPortal AccessApplicationListResponseBrowserSSHApplicationType = "mcp_portal"` - `const AccessApplicationListResponseBrowserSSHApplicationTypeProxyEndpoint AccessApplicationListResponseBrowserSSHApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationListResponseBrowserSSHApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationListResponseBrowserSSHApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationListResponseBrowserSSHApplicationDestinationsPublicDestinationType` - `const AccessApplicationListResponseBrowserSSHApplicationDestinationsPublicDestinationTypePublic AccessApplicationListResponseBrowserSSHApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationType` - `const AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationListResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationListResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationListResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationListResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationListResponseBrowserSSHApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationListResponseBrowserSSHApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationListResponseBrowserSSHApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationListResponseBrowserSSHApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationListResponseBrowserSSHApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationListResponseBrowserSSHApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationListResponseBrowserVNCApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type AccessApplicationListResponseBrowserVNCApplicationType` The application type. - `const AccessApplicationListResponseBrowserVNCApplicationTypeSelfHosted AccessApplicationListResponseBrowserVNCApplicationType = "self_hosted"` - `const AccessApplicationListResponseBrowserVNCApplicationTypeSaaS AccessApplicationListResponseBrowserVNCApplicationType = "saas"` - `const AccessApplicationListResponseBrowserVNCApplicationTypeSSH AccessApplicationListResponseBrowserVNCApplicationType = "ssh"` - `const AccessApplicationListResponseBrowserVNCApplicationTypeVNC AccessApplicationListResponseBrowserVNCApplicationType = "vnc"` - `const AccessApplicationListResponseBrowserVNCApplicationTypeAppLauncher AccessApplicationListResponseBrowserVNCApplicationType = "app_launcher"` - `const AccessApplicationListResponseBrowserVNCApplicationTypeWARP AccessApplicationListResponseBrowserVNCApplicationType = "warp"` - `const AccessApplicationListResponseBrowserVNCApplicationTypeBISO AccessApplicationListResponseBrowserVNCApplicationType = "biso"` - `const AccessApplicationListResponseBrowserVNCApplicationTypeBookmark AccessApplicationListResponseBrowserVNCApplicationType = "bookmark"` - `const AccessApplicationListResponseBrowserVNCApplicationTypeDashSSO AccessApplicationListResponseBrowserVNCApplicationType = "dash_sso"` - `const AccessApplicationListResponseBrowserVNCApplicationTypeInfrastructure AccessApplicationListResponseBrowserVNCApplicationType = "infrastructure"` - `const AccessApplicationListResponseBrowserVNCApplicationTypeRDP AccessApplicationListResponseBrowserVNCApplicationType = "rdp"` - `const AccessApplicationListResponseBrowserVNCApplicationTypeMcp AccessApplicationListResponseBrowserVNCApplicationType = "mcp"` - `const AccessApplicationListResponseBrowserVNCApplicationTypeMcpPortal AccessApplicationListResponseBrowserVNCApplicationType = "mcp_portal"` - `const AccessApplicationListResponseBrowserVNCApplicationTypeProxyEndpoint AccessApplicationListResponseBrowserVNCApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationListResponseBrowserVNCApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationListResponseBrowserVNCApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationListResponseBrowserVNCApplicationDestinationsPublicDestinationType` - `const AccessApplicationListResponseBrowserVNCApplicationDestinationsPublicDestinationTypePublic AccessApplicationListResponseBrowserVNCApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationType` - `const AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationListResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationListResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationListResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationListResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationListResponseBrowserVNCApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationListResponseBrowserVNCApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationListResponseBrowserVNCApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationListResponseBrowserVNCApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationListResponseBrowserVNCApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationListResponseBrowserVNCApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationListResponseAppLauncherApplication struct{…}` - `Type AccessApplicationListResponseAppLauncherApplicationType` The application type. - `const AccessApplicationListResponseAppLauncherApplicationTypeSelfHosted AccessApplicationListResponseAppLauncherApplicationType = "self_hosted"` - `const AccessApplicationListResponseAppLauncherApplicationTypeSaaS AccessApplicationListResponseAppLauncherApplicationType = "saas"` - `const AccessApplicationListResponseAppLauncherApplicationTypeSSH AccessApplicationListResponseAppLauncherApplicationType = "ssh"` - `const AccessApplicationListResponseAppLauncherApplicationTypeVNC AccessApplicationListResponseAppLauncherApplicationType = "vnc"` - `const AccessApplicationListResponseAppLauncherApplicationTypeAppLauncher AccessApplicationListResponseAppLauncherApplicationType = "app_launcher"` - `const AccessApplicationListResponseAppLauncherApplicationTypeWARP AccessApplicationListResponseAppLauncherApplicationType = "warp"` - `const AccessApplicationListResponseAppLauncherApplicationTypeBISO AccessApplicationListResponseAppLauncherApplicationType = "biso"` - `const AccessApplicationListResponseAppLauncherApplicationTypeBookmark AccessApplicationListResponseAppLauncherApplicationType = "bookmark"` - `const AccessApplicationListResponseAppLauncherApplicationTypeDashSSO AccessApplicationListResponseAppLauncherApplicationType = "dash_sso"` - `const AccessApplicationListResponseAppLauncherApplicationTypeInfrastructure AccessApplicationListResponseAppLauncherApplicationType = "infrastructure"` - `const AccessApplicationListResponseAppLauncherApplicationTypeRDP AccessApplicationListResponseAppLauncherApplicationType = "rdp"` - `const AccessApplicationListResponseAppLauncherApplicationTypeMcp AccessApplicationListResponseAppLauncherApplicationType = "mcp"` - `const AccessApplicationListResponseAppLauncherApplicationTypeMcpPortal AccessApplicationListResponseAppLauncherApplicationType = "mcp_portal"` - `const AccessApplicationListResponseAppLauncherApplicationTypeProxyEndpoint AccessApplicationListResponseAppLauncherApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherLogoURL string` The image URL of the logo shown in the App Launcher header. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `BgColor string` The background color of the App Launcher page. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `FooterLinks []AccessApplicationListResponseAppLauncherApplicationFooterLink` The links in the App Launcher footer. - `Name string` The hypertext in the footer link. - `URL string` the hyperlink in the footer link. - `HeaderBgColor string` The background color of the App Launcher header. - `LandingPageDesign AccessApplicationListResponseAppLauncherApplicationLandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `ButtonColor string` The background color of the log in button on the landing page. - `ButtonTextColor string` The color of the text in the log in button on the landing page. - `ImageURL string` The URL of the image shown on the landing page. - `Message string` The message shown on the landing page. - `Title string` The title shown on the landing page. - `Name string` The name of the application. - `Policies []AccessApplicationListResponseAppLauncherApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipAppLauncherLoginPage bool` Determines when to skip the App Launcher landing page. - `type AccessApplicationListResponseDeviceEnrollmentPermissionsApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Name string` The name of the application. - `Policies []AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `type AccessApplicationListResponseBrowserIsolationPermissionsApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Name string` The name of the application. - `Policies []AccessApplicationListResponseBrowserIsolationPermissionsApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `type AccessApplicationListResponseGatewayIdentityProxyEndpointApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `Name string` The name of the application. - `Policies []AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `type AccessApplicationListResponseBookmarkApplication struct{…}` - `ID string` UUID. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `Domain string` The URL or domain of the bookmark. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `Policies []AccessApplicationListResponseBookmarkApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `Type ApplicationType` The application type. - `type AccessApplicationListResponseInfrastructureApplication struct{…}` - `TargetCriteria []AccessApplicationListResponseInfrastructureApplicationTargetCriterion` - `Port int64` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `Protocol AccessApplicationListResponseInfrastructureApplicationTargetCriteriaProtocol` The communication protocol your application secures. - `const AccessApplicationListResponseInfrastructureApplicationTargetCriteriaProtocolSSH AccessApplicationListResponseInfrastructureApplicationTargetCriteriaProtocol = "SSH"` - `TargetAttributes map[string, []string]` Contains a map of target attribute keys to target attribute values. - `Type ApplicationType` The application type. - `ID string` UUID. - `AUD string` Audience tag. - `Name string` The name of the application. - `Policies []AccessApplicationListResponseInfrastructureApplicationPolicy` - `ID string` The UUID of the policy - `ConnectionRules AccessApplicationListResponseInfrastructureApplicationPoliciesConnectionRules` The rules that define how users may connect to the targets secured by your application. - `SSH AccessApplicationListResponseInfrastructureApplicationPoliciesConnectionRulesSSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `Usernames []string` Contains the Unix usernames that may be used when connecting over SSH. - `AllowEmailAlias bool` Enables using Identity Provider email alias as SSH username. - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Name string` The name of the Access policy. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UpdatedAt Time` - `type AccessApplicationListResponseBrowserRDPApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `TargetCriteria []AccessApplicationListResponseBrowserRDPApplicationTargetCriterion` - `Port int64` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `Protocol AccessApplicationListResponseBrowserRDPApplicationTargetCriteriaProtocol` The communication protocol your application secures. - `const AccessApplicationListResponseBrowserRDPApplicationTargetCriteriaProtocolRDP AccessApplicationListResponseBrowserRDPApplicationTargetCriteriaProtocol = "RDP"` - `TargetAttributes map[string, []string]` Contains a map of target attribute keys to target attribute values. - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationListResponseBrowserRDPApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationListResponseBrowserRDPApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationListResponseBrowserRDPApplicationDestinationsPublicDestinationType` - `const AccessApplicationListResponseBrowserRDPApplicationDestinationsPublicDestinationTypePublic AccessApplicationListResponseBrowserRDPApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationType` - `const AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationListResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationListResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationListResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationListResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationListResponseBrowserRDPApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationListResponseBrowserRDPApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationListResponseBrowserRDPApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationListResponseBrowserRDPApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationListResponseBrowserRDPApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationListResponseBrowserRDPApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationListResponseMcpServerApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationListResponseMcpServerApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationListResponseMcpServerApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationListResponseMcpServerApplicationDestinationsPublicDestinationType` - `const AccessApplicationListResponseMcpServerApplicationDestinationsPublicDestinationTypePublic AccessApplicationListResponseMcpServerApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationType` - `const AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationListResponseMcpServerApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationListResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationListResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationListResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationListResponseMcpServerApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationListResponseMcpServerApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationListResponseMcpServerApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `Policies []AccessApplicationListResponseMcpServerApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationListResponseMcpServerApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type AccessApplicationListResponseMcpServerPortalApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationListResponseMcpServerPortalApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationListResponseMcpServerPortalApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationListResponseMcpServerPortalApplicationDestinationsPublicDestinationType` - `const AccessApplicationListResponseMcpServerPortalApplicationDestinationsPublicDestinationTypePublic AccessApplicationListResponseMcpServerPortalApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationType` - `const AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationListResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationListResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationListResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationListResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationListResponseMcpServerPortalApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationListResponseMcpServerPortalApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationListResponseMcpServerPortalApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `Policies []AccessApplicationListResponseMcpServerPortalApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationListResponseMcpServerPortalApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Applications.List(context.TODO(), zero_trust.AccessApplicationListParams{ }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access application `client.ZeroTrust.Access.Applications.Get(ctx, appID, query) (*AccessApplicationGetResponse, error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}` Fetches information about an Access application. ### Parameters - `AppID AppID` Identifier. - `query AccessApplicationGetParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type AccessApplicationGetResponse interface{…}` - `type AccessApplicationGetResponseSelfHostedApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type ApplicationType` The application type. - `const ApplicationTypeSelfHosted ApplicationType = "self_hosted"` - `const ApplicationTypeSaaS ApplicationType = "saas"` - `const ApplicationTypeSSH ApplicationType = "ssh"` - `const ApplicationTypeVNC ApplicationType = "vnc"` - `const ApplicationTypeAppLauncher ApplicationType = "app_launcher"` - `const ApplicationTypeWARP ApplicationType = "warp"` - `const ApplicationTypeBISO ApplicationType = "biso"` - `const ApplicationTypeBookmark ApplicationType = "bookmark"` - `const ApplicationTypeDashSSO ApplicationType = "dash_sso"` - `const ApplicationTypeInfrastructure ApplicationType = "infrastructure"` - `const ApplicationTypeRDP ApplicationType = "rdp"` - `const ApplicationTypeMcp ApplicationType = "mcp"` - `const ApplicationTypeMcpPortal ApplicationType = "mcp_portal"` - `const ApplicationTypeProxyEndpoint ApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `AllowAllHeaders bool` Allows all HTTP request headers. - `AllowAllMethods bool` Allows all HTTP request methods. - `AllowAllOrigins bool` Allows all origins. - `AllowCredentials bool` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `AllowedHeaders []AllowedHeaders` Allowed HTTP request headers. - `AllowedMethods []AllowedMethods` Allowed HTTP request methods. - `const AllowedMethodsGet AllowedMethods = "GET"` - `const AllowedMethodsPost AllowedMethods = "POST"` - `const AllowedMethodsHead AllowedMethods = "HEAD"` - `const AllowedMethodsPut AllowedMethods = "PUT"` - `const AllowedMethodsDelete AllowedMethods = "DELETE"` - `const AllowedMethodsConnect AllowedMethods = "CONNECT"` - `const AllowedMethodsOptions AllowedMethods = "OPTIONS"` - `const AllowedMethodsTrace AllowedMethods = "TRACE"` - `const AllowedMethodsPatch AllowedMethods = "PATCH"` - `AllowedOrigins []AllowedOrigins` Allowed origins. - `MaxAge float64` The maximum number of seconds the results of a preflight request can be cached. - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationGetResponseSelfHostedApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationGetResponseSelfHostedApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationGetResponseSelfHostedApplicationDestinationsPublicDestinationType` - `const AccessApplicationGetResponseSelfHostedApplicationDestinationsPublicDestinationTypePublic AccessApplicationGetResponseSelfHostedApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationType` - `const AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationGetResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationGetResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationGetResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationGetResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationGetResponseSelfHostedApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationGetResponseSelfHostedApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationGetResponseSelfHostedApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationGetResponseSelfHostedApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationGetResponseSelfHostedApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationGetResponseSelfHostedApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `Password string` Password used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationHTTPBasicScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"` - `User string` User name used to authenticate with the remote SCIM service. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `Token string` Token used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"` - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AuthorizationURL string` URL used to generate the auth code used during token generation. - `ClientID string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `ClientSecret string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `Scheme SCIMConfigAuthenticationOauth2Scheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"` - `TokenURL string` URL used to generate the token used to authenticate with the remote SCIM service. - `Scopes []string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `type AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Create bool` Whether or not this mapping applies to create (POST) operations. - `Delete bool` Whether or not this mapping applies to DELETE operations. - `Update bool` Whether or not this mapping applies to update (PATCH/PUT) operations. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"` - `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"` - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationGetResponseSaaSApplication struct{…}` - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `Policies []AccessApplicationGetResponseSaaSApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SaaSApp AccessApplicationGetResponseSaaSApplicationSaaSApp` - `type SAMLSaaSApp struct{…}` - `AuthType SAMLSaaSAppAuthType` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `const SAMLSaaSAppAuthTypeSAML SAMLSaaSAppAuthType = "saml"` - `const SAMLSaaSAppAuthTypeOIDC SAMLSaaSAppAuthType = "oidc"` - `ConsumerServiceURL string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `CustomAttributes []SAMLSaaSAppCustomAttribute` - `FriendlyName string` The SAML FriendlyName of the attribute. - `Name string` The name of the attribute. - `NameFormat SAMLSaaSAppCustomAttributesNameFormat` A globally unique name for an identity or service provider. - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `Required bool` If the attribute is required when building a SAML assertion. - `Source SAMLSaaSAppCustomAttributesSource` - `Name string` The name of the IdP attribute. - `NameByIdP []SAMLSaaSAppCustomAttributesSourceNameByIdP` A mapping from IdP ID to attribute name. - `IdPID string` The UID of the IdP. - `SourceName string` The name of the IdP provided attribute. - `DefaultRelayState string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `IdPEntityID string` The unique identifier for your SaaS application. - `NameIDFormat SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"` - `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"` - `NameIDTransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `PublicKey string` The Access public certificate that will be used to verify your identity. - `SAMLAttributeTransformJsonata string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `SPEntityID string` A globally unique name for an identity or service provider. - `SSOEndpoint string` The endpoint where your SaaS application will send login requests. - `type OIDCSaaSApp struct{…}` - `AccessTokenLifetime string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `AllowPKCEWithoutClientSecret bool` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `AppLauncherURL string` The URL where this applications tile redirects users - `AuthType OIDCSaaSAppAuthType` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `const OIDCSaaSAppAuthTypeSAML OIDCSaaSAppAuthType = "saml"` - `const OIDCSaaSAppAuthTypeOIDC OIDCSaaSAppAuthType = "oidc"` - `ClientID string` The application client id - `ClientSecret string` The application client secret, only returned on POST request. - `CustomClaims []OIDCSaaSAppCustomClaim` - `Name string` The name of the claim. - `Required bool` If the claim is required when building an OIDC token. - `Scope OIDCSaaSAppCustomClaimsScope` The scope of the claim. - `const OIDCSaaSAppCustomClaimsScopeGroups OIDCSaaSAppCustomClaimsScope = "groups"` - `const OIDCSaaSAppCustomClaimsScopeProfile OIDCSaaSAppCustomClaimsScope = "profile"` - `const OIDCSaaSAppCustomClaimsScopeEmail OIDCSaaSAppCustomClaimsScope = "email"` - `const OIDCSaaSAppCustomClaimsScopeOpenid OIDCSaaSAppCustomClaimsScope = "openid"` - `Source OIDCSaaSAppCustomClaimsSource` - `Name string` The name of the IdP claim. - `NameByIdP map[string, string]` A mapping from IdP ID to claim name. - `GrantTypes []OIDCSaaSAppGrantType` The OIDC flows supported by this application - `const OIDCSaaSAppGrantTypeAuthorizationCode OIDCSaaSAppGrantType = "authorization_code"` - `const OIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE OIDCSaaSAppGrantType = "authorization_code_with_pkce"` - `const OIDCSaaSAppGrantTypeRefreshTokens OIDCSaaSAppGrantType = "refresh_tokens"` - `const OIDCSaaSAppGrantTypeHybrid OIDCSaaSAppGrantType = "hybrid"` - `const OIDCSaaSAppGrantTypeImplicit OIDCSaaSAppGrantType = "implicit"` - `GroupFilterRegex string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `HybridAndImplicitOptions OIDCSaaSAppHybridAndImplicitOptions` - `ReturnAccessTokenFromAuthorizationEndpoint bool` If an Access Token should be returned from the OIDC Authorization endpoint - `ReturnIDTokenFromAuthorizationEndpoint bool` If an ID Token should be returned from the OIDC Authorization endpoint - `PublicKey string` The Access public certificate that will be used to verify your identity. - `RedirectURIs []string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `RefreshTokenOptions OIDCSaaSAppRefreshTokenOptions` - `Lifetime string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `Scopes []OIDCSaaSAppScope` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `const OIDCSaaSAppScopeOpenid OIDCSaaSAppScope = "openid"` - `const OIDCSaaSAppScopeGroups OIDCSaaSAppScope = "groups"` - `const OIDCSaaSAppScopeEmail OIDCSaaSAppScope = "email"` - `const OIDCSaaSAppScopeProfile OIDCSaaSAppScope = "profile"` - `SCIMConfig AccessApplicationGetResponseSaaSApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `Type ApplicationType` The application type. - `type AccessApplicationGetResponseBrowserSSHApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type AccessApplicationGetResponseBrowserSSHApplicationType` The application type. - `const AccessApplicationGetResponseBrowserSSHApplicationTypeSelfHosted AccessApplicationGetResponseBrowserSSHApplicationType = "self_hosted"` - `const AccessApplicationGetResponseBrowserSSHApplicationTypeSaaS AccessApplicationGetResponseBrowserSSHApplicationType = "saas"` - `const AccessApplicationGetResponseBrowserSSHApplicationTypeSSH AccessApplicationGetResponseBrowserSSHApplicationType = "ssh"` - `const AccessApplicationGetResponseBrowserSSHApplicationTypeVNC AccessApplicationGetResponseBrowserSSHApplicationType = "vnc"` - `const AccessApplicationGetResponseBrowserSSHApplicationTypeAppLauncher AccessApplicationGetResponseBrowserSSHApplicationType = "app_launcher"` - `const AccessApplicationGetResponseBrowserSSHApplicationTypeWARP AccessApplicationGetResponseBrowserSSHApplicationType = "warp"` - `const AccessApplicationGetResponseBrowserSSHApplicationTypeBISO AccessApplicationGetResponseBrowserSSHApplicationType = "biso"` - `const AccessApplicationGetResponseBrowserSSHApplicationTypeBookmark AccessApplicationGetResponseBrowserSSHApplicationType = "bookmark"` - `const AccessApplicationGetResponseBrowserSSHApplicationTypeDashSSO AccessApplicationGetResponseBrowserSSHApplicationType = "dash_sso"` - `const AccessApplicationGetResponseBrowserSSHApplicationTypeInfrastructure AccessApplicationGetResponseBrowserSSHApplicationType = "infrastructure"` - `const AccessApplicationGetResponseBrowserSSHApplicationTypeRDP AccessApplicationGetResponseBrowserSSHApplicationType = "rdp"` - `const AccessApplicationGetResponseBrowserSSHApplicationTypeMcp AccessApplicationGetResponseBrowserSSHApplicationType = "mcp"` - `const AccessApplicationGetResponseBrowserSSHApplicationTypeMcpPortal AccessApplicationGetResponseBrowserSSHApplicationType = "mcp_portal"` - `const AccessApplicationGetResponseBrowserSSHApplicationTypeProxyEndpoint AccessApplicationGetResponseBrowserSSHApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationGetResponseBrowserSSHApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationGetResponseBrowserSSHApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationGetResponseBrowserSSHApplicationDestinationsPublicDestinationType` - `const AccessApplicationGetResponseBrowserSSHApplicationDestinationsPublicDestinationTypePublic AccessApplicationGetResponseBrowserSSHApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationType` - `const AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationGetResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationGetResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationGetResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationGetResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationGetResponseBrowserSSHApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationGetResponseBrowserSSHApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationGetResponseBrowserSSHApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationGetResponseBrowserSSHApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationGetResponseBrowserSSHApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationGetResponseBrowserSSHApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationGetResponseBrowserVNCApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type AccessApplicationGetResponseBrowserVNCApplicationType` The application type. - `const AccessApplicationGetResponseBrowserVNCApplicationTypeSelfHosted AccessApplicationGetResponseBrowserVNCApplicationType = "self_hosted"` - `const AccessApplicationGetResponseBrowserVNCApplicationTypeSaaS AccessApplicationGetResponseBrowserVNCApplicationType = "saas"` - `const AccessApplicationGetResponseBrowserVNCApplicationTypeSSH AccessApplicationGetResponseBrowserVNCApplicationType = "ssh"` - `const AccessApplicationGetResponseBrowserVNCApplicationTypeVNC AccessApplicationGetResponseBrowserVNCApplicationType = "vnc"` - `const AccessApplicationGetResponseBrowserVNCApplicationTypeAppLauncher AccessApplicationGetResponseBrowserVNCApplicationType = "app_launcher"` - `const AccessApplicationGetResponseBrowserVNCApplicationTypeWARP AccessApplicationGetResponseBrowserVNCApplicationType = "warp"` - `const AccessApplicationGetResponseBrowserVNCApplicationTypeBISO AccessApplicationGetResponseBrowserVNCApplicationType = "biso"` - `const AccessApplicationGetResponseBrowserVNCApplicationTypeBookmark AccessApplicationGetResponseBrowserVNCApplicationType = "bookmark"` - `const AccessApplicationGetResponseBrowserVNCApplicationTypeDashSSO AccessApplicationGetResponseBrowserVNCApplicationType = "dash_sso"` - `const AccessApplicationGetResponseBrowserVNCApplicationTypeInfrastructure AccessApplicationGetResponseBrowserVNCApplicationType = "infrastructure"` - `const AccessApplicationGetResponseBrowserVNCApplicationTypeRDP AccessApplicationGetResponseBrowserVNCApplicationType = "rdp"` - `const AccessApplicationGetResponseBrowserVNCApplicationTypeMcp AccessApplicationGetResponseBrowserVNCApplicationType = "mcp"` - `const AccessApplicationGetResponseBrowserVNCApplicationTypeMcpPortal AccessApplicationGetResponseBrowserVNCApplicationType = "mcp_portal"` - `const AccessApplicationGetResponseBrowserVNCApplicationTypeProxyEndpoint AccessApplicationGetResponseBrowserVNCApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationGetResponseBrowserVNCApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationGetResponseBrowserVNCApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationGetResponseBrowserVNCApplicationDestinationsPublicDestinationType` - `const AccessApplicationGetResponseBrowserVNCApplicationDestinationsPublicDestinationTypePublic AccessApplicationGetResponseBrowserVNCApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationType` - `const AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationGetResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationGetResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationGetResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationGetResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationGetResponseBrowserVNCApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationGetResponseBrowserVNCApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationGetResponseBrowserVNCApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationGetResponseBrowserVNCApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationGetResponseBrowserVNCApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationGetResponseBrowserVNCApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationGetResponseAppLauncherApplication struct{…}` - `Type AccessApplicationGetResponseAppLauncherApplicationType` The application type. - `const AccessApplicationGetResponseAppLauncherApplicationTypeSelfHosted AccessApplicationGetResponseAppLauncherApplicationType = "self_hosted"` - `const AccessApplicationGetResponseAppLauncherApplicationTypeSaaS AccessApplicationGetResponseAppLauncherApplicationType = "saas"` - `const AccessApplicationGetResponseAppLauncherApplicationTypeSSH AccessApplicationGetResponseAppLauncherApplicationType = "ssh"` - `const AccessApplicationGetResponseAppLauncherApplicationTypeVNC AccessApplicationGetResponseAppLauncherApplicationType = "vnc"` - `const AccessApplicationGetResponseAppLauncherApplicationTypeAppLauncher AccessApplicationGetResponseAppLauncherApplicationType = "app_launcher"` - `const AccessApplicationGetResponseAppLauncherApplicationTypeWARP AccessApplicationGetResponseAppLauncherApplicationType = "warp"` - `const AccessApplicationGetResponseAppLauncherApplicationTypeBISO AccessApplicationGetResponseAppLauncherApplicationType = "biso"` - `const AccessApplicationGetResponseAppLauncherApplicationTypeBookmark AccessApplicationGetResponseAppLauncherApplicationType = "bookmark"` - `const AccessApplicationGetResponseAppLauncherApplicationTypeDashSSO AccessApplicationGetResponseAppLauncherApplicationType = "dash_sso"` - `const AccessApplicationGetResponseAppLauncherApplicationTypeInfrastructure AccessApplicationGetResponseAppLauncherApplicationType = "infrastructure"` - `const AccessApplicationGetResponseAppLauncherApplicationTypeRDP AccessApplicationGetResponseAppLauncherApplicationType = "rdp"` - `const AccessApplicationGetResponseAppLauncherApplicationTypeMcp AccessApplicationGetResponseAppLauncherApplicationType = "mcp"` - `const AccessApplicationGetResponseAppLauncherApplicationTypeMcpPortal AccessApplicationGetResponseAppLauncherApplicationType = "mcp_portal"` - `const AccessApplicationGetResponseAppLauncherApplicationTypeProxyEndpoint AccessApplicationGetResponseAppLauncherApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherLogoURL string` The image URL of the logo shown in the App Launcher header. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `BgColor string` The background color of the App Launcher page. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `FooterLinks []AccessApplicationGetResponseAppLauncherApplicationFooterLink` The links in the App Launcher footer. - `Name string` The hypertext in the footer link. - `URL string` the hyperlink in the footer link. - `HeaderBgColor string` The background color of the App Launcher header. - `LandingPageDesign AccessApplicationGetResponseAppLauncherApplicationLandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `ButtonColor string` The background color of the log in button on the landing page. - `ButtonTextColor string` The color of the text in the log in button on the landing page. - `ImageURL string` The URL of the image shown on the landing page. - `Message string` The message shown on the landing page. - `Title string` The title shown on the landing page. - `Name string` The name of the application. - `Policies []AccessApplicationGetResponseAppLauncherApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipAppLauncherLoginPage bool` Determines when to skip the App Launcher landing page. - `type AccessApplicationGetResponseDeviceEnrollmentPermissionsApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Name string` The name of the application. - `Policies []AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `type AccessApplicationGetResponseBrowserIsolationPermissionsApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Name string` The name of the application. - `Policies []AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `type AccessApplicationGetResponseGatewayIdentityProxyEndpointApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `Name string` The name of the application. - `Policies []AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `type AccessApplicationGetResponseBookmarkApplication struct{…}` - `ID string` UUID. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `Domain string` The URL or domain of the bookmark. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `Policies []AccessApplicationGetResponseBookmarkApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `Type ApplicationType` The application type. - `type AccessApplicationGetResponseInfrastructureApplication struct{…}` - `TargetCriteria []AccessApplicationGetResponseInfrastructureApplicationTargetCriterion` - `Port int64` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `Protocol AccessApplicationGetResponseInfrastructureApplicationTargetCriteriaProtocol` The communication protocol your application secures. - `const AccessApplicationGetResponseInfrastructureApplicationTargetCriteriaProtocolSSH AccessApplicationGetResponseInfrastructureApplicationTargetCriteriaProtocol = "SSH"` - `TargetAttributes map[string, []string]` Contains a map of target attribute keys to target attribute values. - `Type ApplicationType` The application type. - `ID string` UUID. - `AUD string` Audience tag. - `Name string` The name of the application. - `Policies []AccessApplicationGetResponseInfrastructureApplicationPolicy` - `ID string` The UUID of the policy - `ConnectionRules AccessApplicationGetResponseInfrastructureApplicationPoliciesConnectionRules` The rules that define how users may connect to the targets secured by your application. - `SSH AccessApplicationGetResponseInfrastructureApplicationPoliciesConnectionRulesSSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `Usernames []string` Contains the Unix usernames that may be used when connecting over SSH. - `AllowEmailAlias bool` Enables using Identity Provider email alias as SSH username. - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Name string` The name of the Access policy. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UpdatedAt Time` - `type AccessApplicationGetResponseBrowserRDPApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `TargetCriteria []AccessApplicationGetResponseBrowserRDPApplicationTargetCriterion` - `Port int64` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `Protocol AccessApplicationGetResponseBrowserRDPApplicationTargetCriteriaProtocol` The communication protocol your application secures. - `const AccessApplicationGetResponseBrowserRDPApplicationTargetCriteriaProtocolRDP AccessApplicationGetResponseBrowserRDPApplicationTargetCriteriaProtocol = "RDP"` - `TargetAttributes map[string, []string]` Contains a map of target attribute keys to target attribute values. - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationGetResponseBrowserRDPApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationGetResponseBrowserRDPApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationGetResponseBrowserRDPApplicationDestinationsPublicDestinationType` - `const AccessApplicationGetResponseBrowserRDPApplicationDestinationsPublicDestinationTypePublic AccessApplicationGetResponseBrowserRDPApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationType` - `const AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationGetResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationGetResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationGetResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationGetResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationGetResponseBrowserRDPApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationGetResponseBrowserRDPApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationGetResponseBrowserRDPApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationGetResponseBrowserRDPApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationGetResponseBrowserRDPApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationGetResponseBrowserRDPApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationGetResponseMcpServerApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationGetResponseMcpServerApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationGetResponseMcpServerApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationGetResponseMcpServerApplicationDestinationsPublicDestinationType` - `const AccessApplicationGetResponseMcpServerApplicationDestinationsPublicDestinationTypePublic AccessApplicationGetResponseMcpServerApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationType` - `const AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationGetResponseMcpServerApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationGetResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationGetResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationGetResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationGetResponseMcpServerApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationGetResponseMcpServerApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationGetResponseMcpServerApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `Policies []AccessApplicationGetResponseMcpServerApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationGetResponseMcpServerApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type AccessApplicationGetResponseMcpServerPortalApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationGetResponseMcpServerPortalApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPublicDestinationType` - `const AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPublicDestinationTypePublic AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationType` - `const AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationGetResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationGetResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationGetResponseMcpServerPortalApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationGetResponseMcpServerPortalApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationGetResponseMcpServerPortalApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `Policies []AccessApplicationGetResponseMcpServerPortalApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) application, err := client.ZeroTrust.Access.Applications.Get( context.TODO(), "023e105f4ecef8ad9ca31a8372d0c353", zero_trust.AccessApplicationGetParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", application) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } } ``` ## Add an Access application `client.ZeroTrust.Access.Applications.New(ctx, params) (*AccessApplicationNewResponse, error)` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps` Adds a new application to Access. ### Parameters - `params AccessApplicationNewParams` - `Domain param.Field[string]` Body param: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type param.Field[ApplicationType]` Body param: The application type. - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `AllowAuthenticateViaWARP param.Field[bool]` Body param: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe param.Field[bool]` Body param: Enables loading application content in an iFrame. - `AllowedIdPs param.Field[[]AllowedIdPs]` Body param: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible param.Field[bool]` Body param: Displays the application in the App Launcher. - `AutoRedirectToIdentity param.Field[bool]` Body param: When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders param.Field[CORSHeaders]` Body param - `CustomDenyMessage param.Field[string]` Body param: The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL param.Field[string]` Body param: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL param.Field[string]` Body param: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages param.Field[[]string]` Body param: The custom pages that will be displayed when applicable for this application - `Destinations param.Field[[]AccessApplicationNewParamsSelfHostedApplicationDestination]` Body param: List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `AccessApplicationNewParamsSelfHostedApplicationDestinationsPublicDestination` - `Type AccessApplicationNewParamsSelfHostedApplicationDestinationsPublicDestinationType` - `const AccessApplicationNewParamsSelfHostedApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewParamsSelfHostedApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestination` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationType` - `const AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `AccessApplicationNewParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestination` - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationNewParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationNewParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie param.Field[bool]` Body param: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute param.Field[bool]` Body param: Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL param.Field[string]` Body param: The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig param.Field[AccessApplicationNewParamsSelfHostedApplicationMfaConfig]` Body param: Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name param.Field[string]` Body param: The name of the application. - `OAuthConfiguration param.Field[AccessApplicationNewParamsSelfHostedApplicationOAuthConfiguration]` Body param: **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationNewParamsSelfHostedApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationNewParamsSelfHostedApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass param.Field[bool]` Body param: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute param.Field[bool]` Body param: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies param.Field[[]AccessApplicationNewParamsSelfHostedApplicationPolicyUnion]` Body param: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessApplicationNewParamsSelfHostedApplicationPoliciesAccessAppPolicyLink` - `ID string` The UUID of the policy - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `UnionString` - `AccessApplicationNewParamsSelfHostedApplicationPoliciesObject` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorTotp AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ReadServiceTokensFromHeader param.Field[string]` Body param: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute param.Field[string]` Body param: Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig param.Field[AccessApplicationNewParamsSelfHostedApplicationSCIMConfig]` Body param: Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `Password string` Password used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationHTTPBasicScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"` - `User string` User name used to authenticate with the remote SCIM service. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `Token string` Token used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"` - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AuthorizationURL string` URL used to generate the auth code used during token generation. - `ClientID string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `ClientSecret string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `Scheme SCIMConfigAuthenticationOauth2Scheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"` - `TokenURL string` URL used to generate the token used to authenticate with the remote SCIM service. - `Scopes []string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken` - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication` - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken` - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Create bool` Whether or not this mapping applies to create (POST) operations. - `Delete bool` Whether or not this mapping applies to DELETE operations. - `Update bool` Whether or not this mapping applies to update (PATCH/PUT) operations. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"` - `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"` - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains param.Field[[]SelfHostedDomains]` Body param: List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect param.Field[bool]` Body param: Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration param.Field[string]` Body param: The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial param.Field[bool]` Body param: Enables automatic authentication through cloudflared. - `Tags param.Field[[]string]` Body param: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL param.Field[bool]` Body param: Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. ### Returns - `type AccessApplicationNewResponse interface{…}` - `type AccessApplicationNewResponseSelfHostedApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type ApplicationType` The application type. - `const ApplicationTypeSelfHosted ApplicationType = "self_hosted"` - `const ApplicationTypeSaaS ApplicationType = "saas"` - `const ApplicationTypeSSH ApplicationType = "ssh"` - `const ApplicationTypeVNC ApplicationType = "vnc"` - `const ApplicationTypeAppLauncher ApplicationType = "app_launcher"` - `const ApplicationTypeWARP ApplicationType = "warp"` - `const ApplicationTypeBISO ApplicationType = "biso"` - `const ApplicationTypeBookmark ApplicationType = "bookmark"` - `const ApplicationTypeDashSSO ApplicationType = "dash_sso"` - `const ApplicationTypeInfrastructure ApplicationType = "infrastructure"` - `const ApplicationTypeRDP ApplicationType = "rdp"` - `const ApplicationTypeMcp ApplicationType = "mcp"` - `const ApplicationTypeMcpPortal ApplicationType = "mcp_portal"` - `const ApplicationTypeProxyEndpoint ApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `AllowAllHeaders bool` Allows all HTTP request headers. - `AllowAllMethods bool` Allows all HTTP request methods. - `AllowAllOrigins bool` Allows all origins. - `AllowCredentials bool` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `AllowedHeaders []AllowedHeaders` Allowed HTTP request headers. - `AllowedMethods []AllowedMethods` Allowed HTTP request methods. - `const AllowedMethodsGet AllowedMethods = "GET"` - `const AllowedMethodsPost AllowedMethods = "POST"` - `const AllowedMethodsHead AllowedMethods = "HEAD"` - `const AllowedMethodsPut AllowedMethods = "PUT"` - `const AllowedMethodsDelete AllowedMethods = "DELETE"` - `const AllowedMethodsConnect AllowedMethods = "CONNECT"` - `const AllowedMethodsOptions AllowedMethods = "OPTIONS"` - `const AllowedMethodsTrace AllowedMethods = "TRACE"` - `const AllowedMethodsPatch AllowedMethods = "PATCH"` - `AllowedOrigins []AllowedOrigins` Allowed origins. - `MaxAge float64` The maximum number of seconds the results of a preflight request can be cached. - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationNewResponseSelfHostedApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationNewResponseSelfHostedApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationNewResponseSelfHostedApplicationDestinationsPublicDestinationType` - `const AccessApplicationNewResponseSelfHostedApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewResponseSelfHostedApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationType` - `const AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationNewResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationNewResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationNewResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationNewResponseSelfHostedApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationNewResponseSelfHostedApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationNewResponseSelfHostedApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationNewResponseSelfHostedApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationNewResponseSelfHostedApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationNewResponseSelfHostedApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `Password string` Password used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationHTTPBasicScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"` - `User string` User name used to authenticate with the remote SCIM service. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `Token string` Token used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"` - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AuthorizationURL string` URL used to generate the auth code used during token generation. - `ClientID string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `ClientSecret string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `Scheme SCIMConfigAuthenticationOauth2Scheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"` - `TokenURL string` URL used to generate the token used to authenticate with the remote SCIM service. - `Scopes []string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `type AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Create bool` Whether or not this mapping applies to create (POST) operations. - `Delete bool` Whether or not this mapping applies to DELETE operations. - `Update bool` Whether or not this mapping applies to update (PATCH/PUT) operations. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"` - `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"` - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationNewResponseSaaSApplication struct{…}` - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `Policies []AccessApplicationNewResponseSaaSApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SaaSApp AccessApplicationNewResponseSaaSApplicationSaaSApp` - `type SAMLSaaSApp struct{…}` - `AuthType SAMLSaaSAppAuthType` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `const SAMLSaaSAppAuthTypeSAML SAMLSaaSAppAuthType = "saml"` - `const SAMLSaaSAppAuthTypeOIDC SAMLSaaSAppAuthType = "oidc"` - `ConsumerServiceURL string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `CustomAttributes []SAMLSaaSAppCustomAttribute` - `FriendlyName string` The SAML FriendlyName of the attribute. - `Name string` The name of the attribute. - `NameFormat SAMLSaaSAppCustomAttributesNameFormat` A globally unique name for an identity or service provider. - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `Required bool` If the attribute is required when building a SAML assertion. - `Source SAMLSaaSAppCustomAttributesSource` - `Name string` The name of the IdP attribute. - `NameByIdP []SAMLSaaSAppCustomAttributesSourceNameByIdP` A mapping from IdP ID to attribute name. - `IdPID string` The UID of the IdP. - `SourceName string` The name of the IdP provided attribute. - `DefaultRelayState string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `IdPEntityID string` The unique identifier for your SaaS application. - `NameIDFormat SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"` - `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"` - `NameIDTransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `PublicKey string` The Access public certificate that will be used to verify your identity. - `SAMLAttributeTransformJsonata string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `SPEntityID string` A globally unique name for an identity or service provider. - `SSOEndpoint string` The endpoint where your SaaS application will send login requests. - `type OIDCSaaSApp struct{…}` - `AccessTokenLifetime string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `AllowPKCEWithoutClientSecret bool` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `AppLauncherURL string` The URL where this applications tile redirects users - `AuthType OIDCSaaSAppAuthType` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `const OIDCSaaSAppAuthTypeSAML OIDCSaaSAppAuthType = "saml"` - `const OIDCSaaSAppAuthTypeOIDC OIDCSaaSAppAuthType = "oidc"` - `ClientID string` The application client id - `ClientSecret string` The application client secret, only returned on POST request. - `CustomClaims []OIDCSaaSAppCustomClaim` - `Name string` The name of the claim. - `Required bool` If the claim is required when building an OIDC token. - `Scope OIDCSaaSAppCustomClaimsScope` The scope of the claim. - `const OIDCSaaSAppCustomClaimsScopeGroups OIDCSaaSAppCustomClaimsScope = "groups"` - `const OIDCSaaSAppCustomClaimsScopeProfile OIDCSaaSAppCustomClaimsScope = "profile"` - `const OIDCSaaSAppCustomClaimsScopeEmail OIDCSaaSAppCustomClaimsScope = "email"` - `const OIDCSaaSAppCustomClaimsScopeOpenid OIDCSaaSAppCustomClaimsScope = "openid"` - `Source OIDCSaaSAppCustomClaimsSource` - `Name string` The name of the IdP claim. - `NameByIdP map[string, string]` A mapping from IdP ID to claim name. - `GrantTypes []OIDCSaaSAppGrantType` The OIDC flows supported by this application - `const OIDCSaaSAppGrantTypeAuthorizationCode OIDCSaaSAppGrantType = "authorization_code"` - `const OIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE OIDCSaaSAppGrantType = "authorization_code_with_pkce"` - `const OIDCSaaSAppGrantTypeRefreshTokens OIDCSaaSAppGrantType = "refresh_tokens"` - `const OIDCSaaSAppGrantTypeHybrid OIDCSaaSAppGrantType = "hybrid"` - `const OIDCSaaSAppGrantTypeImplicit OIDCSaaSAppGrantType = "implicit"` - `GroupFilterRegex string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `HybridAndImplicitOptions OIDCSaaSAppHybridAndImplicitOptions` - `ReturnAccessTokenFromAuthorizationEndpoint bool` If an Access Token should be returned from the OIDC Authorization endpoint - `ReturnIDTokenFromAuthorizationEndpoint bool` If an ID Token should be returned from the OIDC Authorization endpoint - `PublicKey string` The Access public certificate that will be used to verify your identity. - `RedirectURIs []string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `RefreshTokenOptions OIDCSaaSAppRefreshTokenOptions` - `Lifetime string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `Scopes []OIDCSaaSAppScope` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `const OIDCSaaSAppScopeOpenid OIDCSaaSAppScope = "openid"` - `const OIDCSaaSAppScopeGroups OIDCSaaSAppScope = "groups"` - `const OIDCSaaSAppScopeEmail OIDCSaaSAppScope = "email"` - `const OIDCSaaSAppScopeProfile OIDCSaaSAppScope = "profile"` - `SCIMConfig AccessApplicationNewResponseSaaSApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `Type ApplicationType` The application type. - `type AccessApplicationNewResponseBrowserSSHApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type AccessApplicationNewResponseBrowserSSHApplicationType` The application type. - `const AccessApplicationNewResponseBrowserSSHApplicationTypeSelfHosted AccessApplicationNewResponseBrowserSSHApplicationType = "self_hosted"` - `const AccessApplicationNewResponseBrowserSSHApplicationTypeSaaS AccessApplicationNewResponseBrowserSSHApplicationType = "saas"` - `const AccessApplicationNewResponseBrowserSSHApplicationTypeSSH AccessApplicationNewResponseBrowserSSHApplicationType = "ssh"` - `const AccessApplicationNewResponseBrowserSSHApplicationTypeVNC AccessApplicationNewResponseBrowserSSHApplicationType = "vnc"` - `const AccessApplicationNewResponseBrowserSSHApplicationTypeAppLauncher AccessApplicationNewResponseBrowserSSHApplicationType = "app_launcher"` - `const AccessApplicationNewResponseBrowserSSHApplicationTypeWARP AccessApplicationNewResponseBrowserSSHApplicationType = "warp"` - `const AccessApplicationNewResponseBrowserSSHApplicationTypeBISO AccessApplicationNewResponseBrowserSSHApplicationType = "biso"` - `const AccessApplicationNewResponseBrowserSSHApplicationTypeBookmark AccessApplicationNewResponseBrowserSSHApplicationType = "bookmark"` - `const AccessApplicationNewResponseBrowserSSHApplicationTypeDashSSO AccessApplicationNewResponseBrowserSSHApplicationType = "dash_sso"` - `const AccessApplicationNewResponseBrowserSSHApplicationTypeInfrastructure AccessApplicationNewResponseBrowserSSHApplicationType = "infrastructure"` - `const AccessApplicationNewResponseBrowserSSHApplicationTypeRDP AccessApplicationNewResponseBrowserSSHApplicationType = "rdp"` - `const AccessApplicationNewResponseBrowserSSHApplicationTypeMcp AccessApplicationNewResponseBrowserSSHApplicationType = "mcp"` - `const AccessApplicationNewResponseBrowserSSHApplicationTypeMcpPortal AccessApplicationNewResponseBrowserSSHApplicationType = "mcp_portal"` - `const AccessApplicationNewResponseBrowserSSHApplicationTypeProxyEndpoint AccessApplicationNewResponseBrowserSSHApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationNewResponseBrowserSSHApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationNewResponseBrowserSSHApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationNewResponseBrowserSSHApplicationDestinationsPublicDestinationType` - `const AccessApplicationNewResponseBrowserSSHApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewResponseBrowserSSHApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationType` - `const AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationNewResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationNewResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationNewResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationNewResponseBrowserSSHApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationNewResponseBrowserSSHApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationNewResponseBrowserSSHApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationNewResponseBrowserSSHApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationNewResponseBrowserSSHApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationNewResponseBrowserSSHApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationNewResponseBrowserVNCApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type AccessApplicationNewResponseBrowserVNCApplicationType` The application type. - `const AccessApplicationNewResponseBrowserVNCApplicationTypeSelfHosted AccessApplicationNewResponseBrowserVNCApplicationType = "self_hosted"` - `const AccessApplicationNewResponseBrowserVNCApplicationTypeSaaS AccessApplicationNewResponseBrowserVNCApplicationType = "saas"` - `const AccessApplicationNewResponseBrowserVNCApplicationTypeSSH AccessApplicationNewResponseBrowserVNCApplicationType = "ssh"` - `const AccessApplicationNewResponseBrowserVNCApplicationTypeVNC AccessApplicationNewResponseBrowserVNCApplicationType = "vnc"` - `const AccessApplicationNewResponseBrowserVNCApplicationTypeAppLauncher AccessApplicationNewResponseBrowserVNCApplicationType = "app_launcher"` - `const AccessApplicationNewResponseBrowserVNCApplicationTypeWARP AccessApplicationNewResponseBrowserVNCApplicationType = "warp"` - `const AccessApplicationNewResponseBrowserVNCApplicationTypeBISO AccessApplicationNewResponseBrowserVNCApplicationType = "biso"` - `const AccessApplicationNewResponseBrowserVNCApplicationTypeBookmark AccessApplicationNewResponseBrowserVNCApplicationType = "bookmark"` - `const AccessApplicationNewResponseBrowserVNCApplicationTypeDashSSO AccessApplicationNewResponseBrowserVNCApplicationType = "dash_sso"` - `const AccessApplicationNewResponseBrowserVNCApplicationTypeInfrastructure AccessApplicationNewResponseBrowserVNCApplicationType = "infrastructure"` - `const AccessApplicationNewResponseBrowserVNCApplicationTypeRDP AccessApplicationNewResponseBrowserVNCApplicationType = "rdp"` - `const AccessApplicationNewResponseBrowserVNCApplicationTypeMcp AccessApplicationNewResponseBrowserVNCApplicationType = "mcp"` - `const AccessApplicationNewResponseBrowserVNCApplicationTypeMcpPortal AccessApplicationNewResponseBrowserVNCApplicationType = "mcp_portal"` - `const AccessApplicationNewResponseBrowserVNCApplicationTypeProxyEndpoint AccessApplicationNewResponseBrowserVNCApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationNewResponseBrowserVNCApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationNewResponseBrowserVNCApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationNewResponseBrowserVNCApplicationDestinationsPublicDestinationType` - `const AccessApplicationNewResponseBrowserVNCApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewResponseBrowserVNCApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationType` - `const AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationNewResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationNewResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationNewResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationNewResponseBrowserVNCApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationNewResponseBrowserVNCApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationNewResponseBrowserVNCApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationNewResponseBrowserVNCApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationNewResponseBrowserVNCApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationNewResponseBrowserVNCApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationNewResponseAppLauncherApplication struct{…}` - `Type AccessApplicationNewResponseAppLauncherApplicationType` The application type. - `const AccessApplicationNewResponseAppLauncherApplicationTypeSelfHosted AccessApplicationNewResponseAppLauncherApplicationType = "self_hosted"` - `const AccessApplicationNewResponseAppLauncherApplicationTypeSaaS AccessApplicationNewResponseAppLauncherApplicationType = "saas"` - `const AccessApplicationNewResponseAppLauncherApplicationTypeSSH AccessApplicationNewResponseAppLauncherApplicationType = "ssh"` - `const AccessApplicationNewResponseAppLauncherApplicationTypeVNC AccessApplicationNewResponseAppLauncherApplicationType = "vnc"` - `const AccessApplicationNewResponseAppLauncherApplicationTypeAppLauncher AccessApplicationNewResponseAppLauncherApplicationType = "app_launcher"` - `const AccessApplicationNewResponseAppLauncherApplicationTypeWARP AccessApplicationNewResponseAppLauncherApplicationType = "warp"` - `const AccessApplicationNewResponseAppLauncherApplicationTypeBISO AccessApplicationNewResponseAppLauncherApplicationType = "biso"` - `const AccessApplicationNewResponseAppLauncherApplicationTypeBookmark AccessApplicationNewResponseAppLauncherApplicationType = "bookmark"` - `const AccessApplicationNewResponseAppLauncherApplicationTypeDashSSO AccessApplicationNewResponseAppLauncherApplicationType = "dash_sso"` - `const AccessApplicationNewResponseAppLauncherApplicationTypeInfrastructure AccessApplicationNewResponseAppLauncherApplicationType = "infrastructure"` - `const AccessApplicationNewResponseAppLauncherApplicationTypeRDP AccessApplicationNewResponseAppLauncherApplicationType = "rdp"` - `const AccessApplicationNewResponseAppLauncherApplicationTypeMcp AccessApplicationNewResponseAppLauncherApplicationType = "mcp"` - `const AccessApplicationNewResponseAppLauncherApplicationTypeMcpPortal AccessApplicationNewResponseAppLauncherApplicationType = "mcp_portal"` - `const AccessApplicationNewResponseAppLauncherApplicationTypeProxyEndpoint AccessApplicationNewResponseAppLauncherApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherLogoURL string` The image URL of the logo shown in the App Launcher header. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `BgColor string` The background color of the App Launcher page. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `FooterLinks []AccessApplicationNewResponseAppLauncherApplicationFooterLink` The links in the App Launcher footer. - `Name string` The hypertext in the footer link. - `URL string` the hyperlink in the footer link. - `HeaderBgColor string` The background color of the App Launcher header. - `LandingPageDesign AccessApplicationNewResponseAppLauncherApplicationLandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `ButtonColor string` The background color of the log in button on the landing page. - `ButtonTextColor string` The color of the text in the log in button on the landing page. - `ImageURL string` The URL of the image shown on the landing page. - `Message string` The message shown on the landing page. - `Title string` The title shown on the landing page. - `Name string` The name of the application. - `Policies []AccessApplicationNewResponseAppLauncherApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipAppLauncherLoginPage bool` Determines when to skip the App Launcher landing page. - `type AccessApplicationNewResponseDeviceEnrollmentPermissionsApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Name string` The name of the application. - `Policies []AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `type AccessApplicationNewResponseBrowserIsolationPermissionsApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Name string` The name of the application. - `Policies []AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `type AccessApplicationNewResponseGatewayIdentityProxyEndpointApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `Name string` The name of the application. - `Policies []AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `type AccessApplicationNewResponseBookmarkApplication struct{…}` - `ID string` UUID. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `Domain string` The URL or domain of the bookmark. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `Policies []AccessApplicationNewResponseBookmarkApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `Type ApplicationType` The application type. - `type AccessApplicationNewResponseInfrastructureApplication struct{…}` - `TargetCriteria []AccessApplicationNewResponseInfrastructureApplicationTargetCriterion` - `Port int64` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `Protocol AccessApplicationNewResponseInfrastructureApplicationTargetCriteriaProtocol` The communication protocol your application secures. - `const AccessApplicationNewResponseInfrastructureApplicationTargetCriteriaProtocolSSH AccessApplicationNewResponseInfrastructureApplicationTargetCriteriaProtocol = "SSH"` - `TargetAttributes map[string, []string]` Contains a map of target attribute keys to target attribute values. - `Type ApplicationType` The application type. - `ID string` UUID. - `AUD string` Audience tag. - `Name string` The name of the application. - `Policies []AccessApplicationNewResponseInfrastructureApplicationPolicy` - `ID string` The UUID of the policy - `ConnectionRules AccessApplicationNewResponseInfrastructureApplicationPoliciesConnectionRules` The rules that define how users may connect to the targets secured by your application. - `SSH AccessApplicationNewResponseInfrastructureApplicationPoliciesConnectionRulesSSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `Usernames []string` Contains the Unix usernames that may be used when connecting over SSH. - `AllowEmailAlias bool` Enables using Identity Provider email alias as SSH username. - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Name string` The name of the Access policy. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UpdatedAt Time` - `type AccessApplicationNewResponseBrowserRDPApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `TargetCriteria []AccessApplicationNewResponseBrowserRDPApplicationTargetCriterion` - `Port int64` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `Protocol AccessApplicationNewResponseBrowserRDPApplicationTargetCriteriaProtocol` The communication protocol your application secures. - `const AccessApplicationNewResponseBrowserRDPApplicationTargetCriteriaProtocolRDP AccessApplicationNewResponseBrowserRDPApplicationTargetCriteriaProtocol = "RDP"` - `TargetAttributes map[string, []string]` Contains a map of target attribute keys to target attribute values. - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationNewResponseBrowserRDPApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationNewResponseBrowserRDPApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationNewResponseBrowserRDPApplicationDestinationsPublicDestinationType` - `const AccessApplicationNewResponseBrowserRDPApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewResponseBrowserRDPApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationType` - `const AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationNewResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationNewResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationNewResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationNewResponseBrowserRDPApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationNewResponseBrowserRDPApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationNewResponseBrowserRDPApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationNewResponseBrowserRDPApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationNewResponseBrowserRDPApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationNewResponseBrowserRDPApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationNewResponseMcpServerApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationNewResponseMcpServerApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationNewResponseMcpServerApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationNewResponseMcpServerApplicationDestinationsPublicDestinationType` - `const AccessApplicationNewResponseMcpServerApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewResponseMcpServerApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationType` - `const AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationNewResponseMcpServerApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationNewResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationNewResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationNewResponseMcpServerApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationNewResponseMcpServerApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationNewResponseMcpServerApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `Policies []AccessApplicationNewResponseMcpServerApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationNewResponseMcpServerApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type AccessApplicationNewResponseMcpServerPortalApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationNewResponseMcpServerPortalApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPublicDestinationType` - `const AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationType` - `const AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationNewResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationNewResponseMcpServerPortalApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationNewResponseMcpServerPortalApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationNewResponseMcpServerPortalApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `Policies []AccessApplicationNewResponseMcpServerPortalApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) application, err := client.ZeroTrust.Access.Applications.New(context.TODO(), zero_trust.AccessApplicationNewParams{ Body: zero_trust.AccessApplicationNewParamsBodySelfHostedApplication{ Domain: cloudflare.F("test.example.com/admin"), Type: cloudflare.F(zero_trust.ApplicationTypeSelfHosted), }, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", application) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } } ``` ## Update an Access application `client.ZeroTrust.Access.Applications.Update(ctx, appID, params) (*AccessApplicationUpdateResponse, error)` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}` Updates an Access application. ### Parameters - `AppID AppID` Identifier. - `params AccessApplicationUpdateParams` - `Domain param.Field[string]` Body param: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type param.Field[ApplicationType]` Body param: The application type. - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `AllowAuthenticateViaWARP param.Field[bool]` Body param: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe param.Field[bool]` Body param: Enables loading application content in an iFrame. - `AllowedIdPs param.Field[[]AllowedIdPs]` Body param: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible param.Field[bool]` Body param: Displays the application in the App Launcher. - `AutoRedirectToIdentity param.Field[bool]` Body param: When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders param.Field[CORSHeaders]` Body param - `CustomDenyMessage param.Field[string]` Body param: The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL param.Field[string]` Body param: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL param.Field[string]` Body param: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages param.Field[[]string]` Body param: The custom pages that will be displayed when applicable for this application - `Destinations param.Field[[]AccessApplicationUpdateParamsSelfHostedApplicationDestination]` Body param: List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPublicDestination` - `Type AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPublicDestinationType` - `const AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestination` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationType` - `const AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `AccessApplicationUpdateParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestination` - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationUpdateParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationUpdateParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie param.Field[bool]` Body param: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute param.Field[bool]` Body param: Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL param.Field[string]` Body param: The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig param.Field[AccessApplicationUpdateParamsSelfHostedApplicationMfaConfig]` Body param: Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name param.Field[string]` Body param: The name of the application. - `OAuthConfiguration param.Field[AccessApplicationUpdateParamsSelfHostedApplicationOAuthConfiguration]` Body param: **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationUpdateParamsSelfHostedApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationUpdateParamsSelfHostedApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass param.Field[bool]` Body param: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute param.Field[bool]` Body param: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies param.Field[[]AccessApplicationUpdateParamsSelfHostedApplicationPolicyUnion]` Body param: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessApplicationUpdateParamsSelfHostedApplicationPoliciesAccessAppPolicyLink` - `ID string` The UUID of the policy - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `UnionString` - `AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObject` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ReadServiceTokensFromHeader param.Field[string]` Body param: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute param.Field[string]` Body param: Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig param.Field[AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfig]` Body param: Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `Password string` Password used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationHTTPBasicScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"` - `User string` User name used to authenticate with the remote SCIM service. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `Token string` Token used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"` - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AuthorizationURL string` URL used to generate the auth code used during token generation. - `ClientID string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `ClientSecret string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `Scheme SCIMConfigAuthenticationOauth2Scheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"` - `TokenURL string` URL used to generate the token used to authenticate with the remote SCIM service. - `Scopes []string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken` - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication` - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken` - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Create bool` Whether or not this mapping applies to create (POST) operations. - `Delete bool` Whether or not this mapping applies to DELETE operations. - `Update bool` Whether or not this mapping applies to update (PATCH/PUT) operations. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"` - `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"` - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains param.Field[[]SelfHostedDomains]` Body param: List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect param.Field[bool]` Body param: Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration param.Field[string]` Body param: The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial param.Field[bool]` Body param: Enables automatic authentication through cloudflared. - `Tags param.Field[[]string]` Body param: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL param.Field[bool]` Body param: Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. ### Returns - `type AccessApplicationUpdateResponse interface{…}` - `type AccessApplicationUpdateResponseSelfHostedApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type ApplicationType` The application type. - `const ApplicationTypeSelfHosted ApplicationType = "self_hosted"` - `const ApplicationTypeSaaS ApplicationType = "saas"` - `const ApplicationTypeSSH ApplicationType = "ssh"` - `const ApplicationTypeVNC ApplicationType = "vnc"` - `const ApplicationTypeAppLauncher ApplicationType = "app_launcher"` - `const ApplicationTypeWARP ApplicationType = "warp"` - `const ApplicationTypeBISO ApplicationType = "biso"` - `const ApplicationTypeBookmark ApplicationType = "bookmark"` - `const ApplicationTypeDashSSO ApplicationType = "dash_sso"` - `const ApplicationTypeInfrastructure ApplicationType = "infrastructure"` - `const ApplicationTypeRDP ApplicationType = "rdp"` - `const ApplicationTypeMcp ApplicationType = "mcp"` - `const ApplicationTypeMcpPortal ApplicationType = "mcp_portal"` - `const ApplicationTypeProxyEndpoint ApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `AllowAllHeaders bool` Allows all HTTP request headers. - `AllowAllMethods bool` Allows all HTTP request methods. - `AllowAllOrigins bool` Allows all origins. - `AllowCredentials bool` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `AllowedHeaders []AllowedHeaders` Allowed HTTP request headers. - `AllowedMethods []AllowedMethods` Allowed HTTP request methods. - `const AllowedMethodsGet AllowedMethods = "GET"` - `const AllowedMethodsPost AllowedMethods = "POST"` - `const AllowedMethodsHead AllowedMethods = "HEAD"` - `const AllowedMethodsPut AllowedMethods = "PUT"` - `const AllowedMethodsDelete AllowedMethods = "DELETE"` - `const AllowedMethodsConnect AllowedMethods = "CONNECT"` - `const AllowedMethodsOptions AllowedMethods = "OPTIONS"` - `const AllowedMethodsTrace AllowedMethods = "TRACE"` - `const AllowedMethodsPatch AllowedMethods = "PATCH"` - `AllowedOrigins []AllowedOrigins` Allowed origins. - `MaxAge float64` The maximum number of seconds the results of a preflight request can be cached. - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationUpdateResponseSelfHostedApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPublicDestinationType` - `const AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationType` - `const AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationUpdateResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationUpdateResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationUpdateResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationUpdateResponseSelfHostedApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationUpdateResponseSelfHostedApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationUpdateResponseSelfHostedApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationUpdateResponseSelfHostedApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationUpdateResponseSelfHostedApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `Password string` Password used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationHTTPBasicScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"` - `User string` User name used to authenticate with the remote SCIM service. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `Token string` Token used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"` - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AuthorizationURL string` URL used to generate the auth code used during token generation. - `ClientID string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `ClientSecret string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `Scheme SCIMConfigAuthenticationOauth2Scheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"` - `TokenURL string` URL used to generate the token used to authenticate with the remote SCIM service. - `Scopes []string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `type AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Create bool` Whether or not this mapping applies to create (POST) operations. - `Delete bool` Whether or not this mapping applies to DELETE operations. - `Update bool` Whether or not this mapping applies to update (PATCH/PUT) operations. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"` - `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"` - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationUpdateResponseSaaSApplication struct{…}` - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `Policies []AccessApplicationUpdateResponseSaaSApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SaaSApp AccessApplicationUpdateResponseSaaSApplicationSaaSApp` - `type SAMLSaaSApp struct{…}` - `AuthType SAMLSaaSAppAuthType` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `const SAMLSaaSAppAuthTypeSAML SAMLSaaSAppAuthType = "saml"` - `const SAMLSaaSAppAuthTypeOIDC SAMLSaaSAppAuthType = "oidc"` - `ConsumerServiceURL string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `CustomAttributes []SAMLSaaSAppCustomAttribute` - `FriendlyName string` The SAML FriendlyName of the attribute. - `Name string` The name of the attribute. - `NameFormat SAMLSaaSAppCustomAttributesNameFormat` A globally unique name for an identity or service provider. - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `Required bool` If the attribute is required when building a SAML assertion. - `Source SAMLSaaSAppCustomAttributesSource` - `Name string` The name of the IdP attribute. - `NameByIdP []SAMLSaaSAppCustomAttributesSourceNameByIdP` A mapping from IdP ID to attribute name. - `IdPID string` The UID of the IdP. - `SourceName string` The name of the IdP provided attribute. - `DefaultRelayState string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `IdPEntityID string` The unique identifier for your SaaS application. - `NameIDFormat SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"` - `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"` - `NameIDTransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `PublicKey string` The Access public certificate that will be used to verify your identity. - `SAMLAttributeTransformJsonata string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `SPEntityID string` A globally unique name for an identity or service provider. - `SSOEndpoint string` The endpoint where your SaaS application will send login requests. - `type OIDCSaaSApp struct{…}` - `AccessTokenLifetime string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `AllowPKCEWithoutClientSecret bool` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `AppLauncherURL string` The URL where this applications tile redirects users - `AuthType OIDCSaaSAppAuthType` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `const OIDCSaaSAppAuthTypeSAML OIDCSaaSAppAuthType = "saml"` - `const OIDCSaaSAppAuthTypeOIDC OIDCSaaSAppAuthType = "oidc"` - `ClientID string` The application client id - `ClientSecret string` The application client secret, only returned on POST request. - `CustomClaims []OIDCSaaSAppCustomClaim` - `Name string` The name of the claim. - `Required bool` If the claim is required when building an OIDC token. - `Scope OIDCSaaSAppCustomClaimsScope` The scope of the claim. - `const OIDCSaaSAppCustomClaimsScopeGroups OIDCSaaSAppCustomClaimsScope = "groups"` - `const OIDCSaaSAppCustomClaimsScopeProfile OIDCSaaSAppCustomClaimsScope = "profile"` - `const OIDCSaaSAppCustomClaimsScopeEmail OIDCSaaSAppCustomClaimsScope = "email"` - `const OIDCSaaSAppCustomClaimsScopeOpenid OIDCSaaSAppCustomClaimsScope = "openid"` - `Source OIDCSaaSAppCustomClaimsSource` - `Name string` The name of the IdP claim. - `NameByIdP map[string, string]` A mapping from IdP ID to claim name. - `GrantTypes []OIDCSaaSAppGrantType` The OIDC flows supported by this application - `const OIDCSaaSAppGrantTypeAuthorizationCode OIDCSaaSAppGrantType = "authorization_code"` - `const OIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE OIDCSaaSAppGrantType = "authorization_code_with_pkce"` - `const OIDCSaaSAppGrantTypeRefreshTokens OIDCSaaSAppGrantType = "refresh_tokens"` - `const OIDCSaaSAppGrantTypeHybrid OIDCSaaSAppGrantType = "hybrid"` - `const OIDCSaaSAppGrantTypeImplicit OIDCSaaSAppGrantType = "implicit"` - `GroupFilterRegex string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `HybridAndImplicitOptions OIDCSaaSAppHybridAndImplicitOptions` - `ReturnAccessTokenFromAuthorizationEndpoint bool` If an Access Token should be returned from the OIDC Authorization endpoint - `ReturnIDTokenFromAuthorizationEndpoint bool` If an ID Token should be returned from the OIDC Authorization endpoint - `PublicKey string` The Access public certificate that will be used to verify your identity. - `RedirectURIs []string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `RefreshTokenOptions OIDCSaaSAppRefreshTokenOptions` - `Lifetime string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `Scopes []OIDCSaaSAppScope` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `const OIDCSaaSAppScopeOpenid OIDCSaaSAppScope = "openid"` - `const OIDCSaaSAppScopeGroups OIDCSaaSAppScope = "groups"` - `const OIDCSaaSAppScopeEmail OIDCSaaSAppScope = "email"` - `const OIDCSaaSAppScopeProfile OIDCSaaSAppScope = "profile"` - `SCIMConfig AccessApplicationUpdateResponseSaaSApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `Type ApplicationType` The application type. - `type AccessApplicationUpdateResponseBrowserSSHApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type AccessApplicationUpdateResponseBrowserSSHApplicationType` The application type. - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeSelfHosted AccessApplicationUpdateResponseBrowserSSHApplicationType = "self_hosted"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeSaaS AccessApplicationUpdateResponseBrowserSSHApplicationType = "saas"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeSSH AccessApplicationUpdateResponseBrowserSSHApplicationType = "ssh"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeVNC AccessApplicationUpdateResponseBrowserSSHApplicationType = "vnc"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeAppLauncher AccessApplicationUpdateResponseBrowserSSHApplicationType = "app_launcher"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeWARP AccessApplicationUpdateResponseBrowserSSHApplicationType = "warp"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeBISO AccessApplicationUpdateResponseBrowserSSHApplicationType = "biso"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeBookmark AccessApplicationUpdateResponseBrowserSSHApplicationType = "bookmark"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeDashSSO AccessApplicationUpdateResponseBrowserSSHApplicationType = "dash_sso"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeInfrastructure AccessApplicationUpdateResponseBrowserSSHApplicationType = "infrastructure"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeRDP AccessApplicationUpdateResponseBrowserSSHApplicationType = "rdp"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeMcp AccessApplicationUpdateResponseBrowserSSHApplicationType = "mcp"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeMcpPortal AccessApplicationUpdateResponseBrowserSSHApplicationType = "mcp_portal"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeProxyEndpoint AccessApplicationUpdateResponseBrowserSSHApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationUpdateResponseBrowserSSHApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPublicDestinationType` - `const AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationType` - `const AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationUpdateResponseBrowserSSHApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationUpdateResponseBrowserSSHApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationUpdateResponseBrowserSSHApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationUpdateResponseBrowserSSHApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationUpdateResponseBrowserVNCApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Type AccessApplicationUpdateResponseBrowserVNCApplicationType` The application type. - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeSelfHosted AccessApplicationUpdateResponseBrowserVNCApplicationType = "self_hosted"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeSaaS AccessApplicationUpdateResponseBrowserVNCApplicationType = "saas"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeSSH AccessApplicationUpdateResponseBrowserVNCApplicationType = "ssh"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeVNC AccessApplicationUpdateResponseBrowserVNCApplicationType = "vnc"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeAppLauncher AccessApplicationUpdateResponseBrowserVNCApplicationType = "app_launcher"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeWARP AccessApplicationUpdateResponseBrowserVNCApplicationType = "warp"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeBISO AccessApplicationUpdateResponseBrowserVNCApplicationType = "biso"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeBookmark AccessApplicationUpdateResponseBrowserVNCApplicationType = "bookmark"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeDashSSO AccessApplicationUpdateResponseBrowserVNCApplicationType = "dash_sso"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeInfrastructure AccessApplicationUpdateResponseBrowserVNCApplicationType = "infrastructure"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeRDP AccessApplicationUpdateResponseBrowserVNCApplicationType = "rdp"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeMcp AccessApplicationUpdateResponseBrowserVNCApplicationType = "mcp"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeMcpPortal AccessApplicationUpdateResponseBrowserVNCApplicationType = "mcp_portal"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeProxyEndpoint AccessApplicationUpdateResponseBrowserVNCApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationUpdateResponseBrowserVNCApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPublicDestinationType` - `const AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationType` - `const AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationUpdateResponseBrowserVNCApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationUpdateResponseBrowserVNCApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationUpdateResponseBrowserVNCApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationUpdateResponseBrowserVNCApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationUpdateResponseAppLauncherApplication struct{…}` - `Type AccessApplicationUpdateResponseAppLauncherApplicationType` The application type. - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeSelfHosted AccessApplicationUpdateResponseAppLauncherApplicationType = "self_hosted"` - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeSaaS AccessApplicationUpdateResponseAppLauncherApplicationType = "saas"` - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeSSH AccessApplicationUpdateResponseAppLauncherApplicationType = "ssh"` - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeVNC AccessApplicationUpdateResponseAppLauncherApplicationType = "vnc"` - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeAppLauncher AccessApplicationUpdateResponseAppLauncherApplicationType = "app_launcher"` - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeWARP AccessApplicationUpdateResponseAppLauncherApplicationType = "warp"` - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeBISO AccessApplicationUpdateResponseAppLauncherApplicationType = "biso"` - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeBookmark AccessApplicationUpdateResponseAppLauncherApplicationType = "bookmark"` - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeDashSSO AccessApplicationUpdateResponseAppLauncherApplicationType = "dash_sso"` - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeInfrastructure AccessApplicationUpdateResponseAppLauncherApplicationType = "infrastructure"` - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeRDP AccessApplicationUpdateResponseAppLauncherApplicationType = "rdp"` - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeMcp AccessApplicationUpdateResponseAppLauncherApplicationType = "mcp"` - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeMcpPortal AccessApplicationUpdateResponseAppLauncherApplicationType = "mcp_portal"` - `const AccessApplicationUpdateResponseAppLauncherApplicationTypeProxyEndpoint AccessApplicationUpdateResponseAppLauncherApplicationType = "proxy_endpoint"` - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherLogoURL string` The image URL of the logo shown in the App Launcher header. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `BgColor string` The background color of the App Launcher page. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `FooterLinks []AccessApplicationUpdateResponseAppLauncherApplicationFooterLink` The links in the App Launcher footer. - `Name string` The hypertext in the footer link. - `URL string` the hyperlink in the footer link. - `HeaderBgColor string` The background color of the App Launcher header. - `LandingPageDesign AccessApplicationUpdateResponseAppLauncherApplicationLandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `ButtonColor string` The background color of the log in button on the landing page. - `ButtonTextColor string` The color of the text in the log in button on the landing page. - `ImageURL string` The URL of the image shown on the landing page. - `Message string` The message shown on the landing page. - `Title string` The title shown on the landing page. - `Name string` The name of the application. - `Policies []AccessApplicationUpdateResponseAppLauncherApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipAppLauncherLoginPage bool` Determines when to skip the App Launcher landing page. - `type AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Name string` The name of the application. - `Policies []AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `type AccessApplicationUpdateResponseBrowserIsolationPermissionsApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `Name string` The name of the application. - `Policies []AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `type AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Domain string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `Name string` The name of the application. - `Policies []AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `type AccessApplicationUpdateResponseBookmarkApplication struct{…}` - `ID string` UUID. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `Domain string` The URL or domain of the bookmark. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `Policies []AccessApplicationUpdateResponseBookmarkApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `Type ApplicationType` The application type. - `type AccessApplicationUpdateResponseInfrastructureApplication struct{…}` - `TargetCriteria []AccessApplicationUpdateResponseInfrastructureApplicationTargetCriterion` - `Port int64` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `Protocol AccessApplicationUpdateResponseInfrastructureApplicationTargetCriteriaProtocol` The communication protocol your application secures. - `const AccessApplicationUpdateResponseInfrastructureApplicationTargetCriteriaProtocolSSH AccessApplicationUpdateResponseInfrastructureApplicationTargetCriteriaProtocol = "SSH"` - `TargetAttributes map[string, []string]` Contains a map of target attribute keys to target attribute values. - `Type ApplicationType` The application type. - `ID string` UUID. - `AUD string` Audience tag. - `Name string` The name of the application. - `Policies []AccessApplicationUpdateResponseInfrastructureApplicationPolicy` - `ID string` The UUID of the policy - `ConnectionRules AccessApplicationUpdateResponseInfrastructureApplicationPoliciesConnectionRules` The rules that define how users may connect to the targets secured by your application. - `SSH AccessApplicationUpdateResponseInfrastructureApplicationPoliciesConnectionRulesSSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `Usernames []string` Contains the Unix usernames that may be used when connecting over SSH. - `AllowEmailAlias bool` Enables using Identity Provider email alias as SSH username. - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Name string` The name of the Access policy. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UpdatedAt Time` - `type AccessApplicationUpdateResponseBrowserRDPApplication struct{…}` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `TargetCriteria []AccessApplicationUpdateResponseBrowserRDPApplicationTargetCriterion` - `Port int64` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `Protocol AccessApplicationUpdateResponseBrowserRDPApplicationTargetCriteriaProtocol` The communication protocol your application secures. - `const AccessApplicationUpdateResponseBrowserRDPApplicationTargetCriteriaProtocolRDP AccessApplicationUpdateResponseBrowserRDPApplicationTargetCriteriaProtocol = "RDP"` - `TargetAttributes map[string, []string]` Contains a map of target attribute keys to target attribute values. - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders CORSHeaders` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationUpdateResponseBrowserRDPApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPublicDestinationType` - `const AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationType` - `const AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `MfaConfig AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationUpdateResponseBrowserRDPApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationUpdateResponseBrowserRDPApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationUpdateResponseBrowserRDPApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `PathCookieAttribute bool` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `Policies []AccessApplicationUpdateResponseBrowserRDPApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ReadServiceTokensFromHeader string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SelfHostedDomains []SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `type AccessApplicationUpdateResponseMcpServerApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationUpdateResponseMcpServerApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationUpdateResponseMcpServerApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationUpdateResponseMcpServerApplicationDestinationsPublicDestinationType` - `const AccessApplicationUpdateResponseMcpServerApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateResponseMcpServerApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationType` - `const AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationUpdateResponseMcpServerApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationUpdateResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationUpdateResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationUpdateResponseMcpServerApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationUpdateResponseMcpServerApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationUpdateResponseMcpServerApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `Policies []AccessApplicationUpdateResponseMcpServerApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationUpdateResponseMcpServerApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type AccessApplicationUpdateResponseMcpServerPortalApplication struct{…}` - `Type ApplicationType` The application type. - `ID string` UUID. - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `CustomNonIdentityDenyURL string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `CustomPages []string` The custom pages that will be displayed when applicable for this application - `Destinations []AccessApplicationUpdateResponseMcpServerPortalApplicationDestination` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `type AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPublicDestination struct{…}` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `Type AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPublicDestinationType` - `const AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPublicDestinationType = "public"` - `URI string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `type AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestination struct{…}` - `CIDR string` The CIDR range of the destination. Single IPs will be computed as /32. - `Hostname string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `L4Protocol AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `const AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "tcp"` - `const AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "udp"` - `PortRange string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `Type AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationType` - `const AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationType = "private"` - `VnetID string` The VNET ID to match the destination. When omitted, all VNETs will match. - `type AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestination struct{…}` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `McpServerID string` The MCP server id configured in ai-controls. - `Type AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType` - `const AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"` - `Domain string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `OAuthConfiguration AccessApplicationUpdateResponseMcpServerPortalApplicationOAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `DynamicClientRegistration AccessApplicationUpdateResponseMcpServerPortalApplicationOAuthConfigurationDynamicClientRegistration` Settings for OAuth dynamic client registration. - `AllowAnyOnLocalhost bool` Allows any client with redirect URIs on localhost. - `AllowAnyOnLoopback bool` Allows any client with redirect URIs on 127.0.0.1. - `AllowedURIs []string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `Enabled bool` Whether dynamic client registration is enabled. - `Enabled bool` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `Grant AccessApplicationUpdateResponseMcpServerPortalApplicationOAuthConfigurationGrant` Settings for OAuth grant behavior. - `AccessTokenLifetime string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `SessionDuration string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `Policies []AccessApplicationUpdateResponseMcpServerPortalApplicationPolicy` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `type AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem` Multiple authentication schemes - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `type AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `Tags []string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) application, err := client.ZeroTrust.Access.Applications.Update( context.TODO(), "023e105f4ecef8ad9ca31a8372d0c353", zero_trust.AccessApplicationUpdateParams{ Body: zero_trust.AccessApplicationUpdateParamsBodySelfHostedApplication{ Domain: cloudflare.F("test.example.com/admin"), Type: cloudflare.F(zero_trust.ApplicationTypeSelfHosted), }, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", application) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } } ``` ## Delete an Access application `client.ZeroTrust.Access.Applications.Delete(ctx, appID, body) (*AccessApplicationDeleteResponse, error)` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}` Deletes an application from Access. ### Parameters - `AppID AppID` Identifier. - `body AccessApplicationDeleteParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type AccessApplicationDeleteResponse struct{…}` - `ID string` UUID. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) application, err := client.ZeroTrust.Access.Applications.Delete( context.TODO(), "023e105f4ecef8ad9ca31a8372d0c353", zero_trust.AccessApplicationDeleteParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", application.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Revoke application tokens `client.ZeroTrust.Access.Applications.RevokeTokens(ctx, appID, body) (*AccessApplicationRevokeTokensResponse, error)` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/revoke_tokens` Revokes all tokens issued for an application. ### Parameters - `AppID AppID` Identifier. - `body AccessApplicationRevokeTokensParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type AccessApplicationRevokeTokensResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Access.Applications.RevokeTokens( context.TODO(), "023e105f4ecef8ad9ca31a8372d0c353", zero_trust.AccessApplicationRevokeTokensParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response) } ``` #### Response ```json { "result": {}, "success": true } ``` ## Domain Types ### Allowed Headers - `type AllowedHeaders string` ### Allowed IdPs - `type AllowedIdPs string` The identity providers selected for application. ### Allowed Methods - `type AllowedMethods string` - `const AllowedMethodsGet AllowedMethods = "GET"` - `const AllowedMethodsPost AllowedMethods = "POST"` - `const AllowedMethodsHead AllowedMethods = "HEAD"` - `const AllowedMethodsPut AllowedMethods = "PUT"` - `const AllowedMethodsDelete AllowedMethods = "DELETE"` - `const AllowedMethodsConnect AllowedMethods = "CONNECT"` - `const AllowedMethodsOptions AllowedMethods = "OPTIONS"` - `const AllowedMethodsTrace AllowedMethods = "TRACE"` - `const AllowedMethodsPatch AllowedMethods = "PATCH"` ### Allowed Origins - `type AllowedOrigins string` ### App ID - `type AppID string` Identifier. ### Application - `type Application interface{…}` - `ApplicationSelfHostedApplication` - `Domain string` The domain and path that Access will secure. - `Type string` The application type. - `ID string` UUID. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders ApplicationSelfHostedApplicationCORSHeaders` - `AllowAllHeaders bool` Allows all HTTP request headers. - `AllowAllMethods bool` Allows all HTTP request methods. - `AllowAllOrigins bool` Allows all origins. - `AllowCredentials bool` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `AllowedHeaders []unknown` Allowed HTTP request headers. - `AllowedMethods []AllowedMethods` Allowed HTTP request methods. - `const AllowedMethodsGet AllowedMethods = "GET"` - `const AllowedMethodsPost AllowedMethods = "POST"` - `const AllowedMethodsHead AllowedMethods = "HEAD"` - `const AllowedMethodsPut AllowedMethods = "PUT"` - `const AllowedMethodsDelete AllowedMethods = "DELETE"` - `const AllowedMethodsConnect AllowedMethods = "CONNECT"` - `const AllowedMethodsOptions AllowedMethods = "OPTIONS"` - `const AllowedMethodsTrace AllowedMethods = "TRACE"` - `const AllowedMethodsPatch AllowedMethods = "PATCH"` - `AllowedOrigins []unknown` Allowed origins. - `MaxAge float64` The maximum number of seconds the results of a preflight request can be cached. - `CreatedAt Time` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application. - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication ApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `Password string` Password used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationHTTPBasicScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"` - `User string` User name used to authenticate with the remote SCIM service. - `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken` - `Token string` Token used to authenticate with the remote SCIM service. - `Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"` - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AuthorizationURL string` URL used to generate the auth code used during token generation. - `ClientID string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `ClientSecret string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `Scheme SCIMConfigAuthenticationOauth2Scheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"` - `TokenURL string` URL used to generate the token used to authenticate with the remote SCIM service. - `Scopes []string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken` - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthentication` - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken` - `Token string` Token used to authenticate with the remote SCIM service. - `Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"` - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken` - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Create bool` Whether or not this mapping applies to create (POST) operations. - `Delete bool` Whether or not this mapping applies to DELETE operations. - `Update bool` Whether or not this mapping applies to update (PATCH/PUT) operations. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"` - `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"` - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `UpdatedAt Time` - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `ApplicationSaaSApplication` - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CreatedAt Time` - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `SaaSApp ApplicationSaaSApplicationSaaSApp` - `ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSApp` - `AuthType ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthType` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthTypeSAML ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthType = "saml"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthTypeOIDC ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthType = "oidc"` - `ConsumerServiceURL string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `CreatedAt Time` - `CustomAttributes []ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttribute` - `FriendlyName string` The SAML FriendlyName of the attribute. - `Name string` The name of the attribute. - `NameFormat ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat` A globally unique name for an identity or service provider. - `const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `Required bool` If the attribute is required when building a SAML assertion. - `Source ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesSource` - `Name string` The name of the IdP attribute. - `NameByIdP map[string, string]` A mapping from IdP ID to attribute name. - `IdPEntityID string` The unique identifier for your SaaS application. - `NameIDFormat SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"` - `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"` - `NameIDTransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `PublicKey string` The Access public certificate that will be used to verify your identity. - `SPEntityID string` A globally unique name for an identity or service provider. - `SSOEndpoint string` The endpoint where your SaaS application will send login requests. - `UpdatedAt Time` - `ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSApp` - `AccessTokenLifetime string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `AllowPKCEWithoutClientSecret bool` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `AppLauncherURL string` The URL where this applications tile redirects users - `AuthType ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthType` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthTypeSAML ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthType = "saml"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthTypeOIDC ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthType = "oidc"` - `ClientID string` The application client id - `ClientSecret string` The application client secret, only returned on POST request. - `CreatedAt Time` - `CustomClaims []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaim` - `Name string` The name of the claim. - `Required bool` If the claim is required when building an OIDC token. - `Scope ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope` The scope of the claim. - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeGroups ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "groups"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeProfile ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "profile"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeEmail ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "email"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeOpenid ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "openid"` - `Source ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsSource` - `Name string` The name of the IdP claim. - `NameByIdP []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsSourceNameByIdP` A mapping from IdP ID to attribute name. - `IdPID string` The UID of the IdP. - `SourceName string` The name of the IdP provided attribute. - `GrantTypes []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType` The OIDC flows supported by this application - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeAuthorizationCode ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "authorization_code"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "authorization_code_with_pkce"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeRefreshTokens ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "refresh_tokens"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeHybrid ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "hybrid"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeImplicit ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "implicit"` - `GroupFilterRegex string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint. - `HybridAndImplicitOptions ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppHybridAndImplicitOptions` - `ReturnAccessTokenFromAuthorizationEndpoint bool` If an Access Token should be returned from the OIDC Authorization endpoint - `ReturnIDTokenFromAuthorizationEndpoint bool` If an ID Token should be returned from the OIDC Authorization endpoint - `PublicKey string` The Access public certificate that will be used to verify your identity. - `RedirectURIs []string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `RefreshTokenOptions ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppRefreshTokenOptions` - `Lifetime string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `Scopes []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeOpenid ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "openid"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeGroups ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "groups"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeEmail ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "email"` - `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeProfile ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "profile"` - `UpdatedAt Time` - `SCIMConfig ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `Type string` The application type. - `UpdatedAt Time` - `ApplicationBrowserSSHApplication` - `Domain string` The domain and path that Access will secure. - `Type string` The application type. - `ID string` UUID. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders ApplicationBrowserSSHApplicationCORSHeaders` - `AllowAllHeaders bool` Allows all HTTP request headers. - `AllowAllMethods bool` Allows all HTTP request methods. - `AllowAllOrigins bool` Allows all origins. - `AllowCredentials bool` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `AllowedHeaders []unknown` Allowed HTTP request headers. - `AllowedMethods []AllowedMethods` Allowed HTTP request methods. - `const AllowedMethodsGet AllowedMethods = "GET"` - `const AllowedMethodsPost AllowedMethods = "POST"` - `const AllowedMethodsHead AllowedMethods = "HEAD"` - `const AllowedMethodsPut AllowedMethods = "PUT"` - `const AllowedMethodsDelete AllowedMethods = "DELETE"` - `const AllowedMethodsConnect AllowedMethods = "CONNECT"` - `const AllowedMethodsOptions AllowedMethods = "OPTIONS"` - `const AllowedMethodsTrace AllowedMethods = "TRACE"` - `const AllowedMethodsPatch AllowedMethods = "PATCH"` - `AllowedOrigins []unknown` Allowed origins. - `MaxAge float64` The maximum number of seconds the results of a preflight request can be cached. - `CreatedAt Time` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application. - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `UpdatedAt Time` - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `ApplicationBrowserVNCApplication` - `Domain string` The domain and path that Access will secure. - `Type string` The application type. - `ID string` UUID. - `AllowIframe bool` Enables loading application content in an iFrame. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CORSHeaders ApplicationBrowserVNCApplicationCORSHeaders` - `AllowAllHeaders bool` Allows all HTTP request headers. - `AllowAllMethods bool` Allows all HTTP request methods. - `AllowAllOrigins bool` Allows all origins. - `AllowCredentials bool` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `AllowedHeaders []unknown` Allowed HTTP request headers. - `AllowedMethods []AllowedMethods` Allowed HTTP request methods. - `const AllowedMethodsGet AllowedMethods = "GET"` - `const AllowedMethodsPost AllowedMethods = "POST"` - `const AllowedMethodsHead AllowedMethods = "HEAD"` - `const AllowedMethodsPut AllowedMethods = "PUT"` - `const AllowedMethodsDelete AllowedMethods = "DELETE"` - `const AllowedMethodsConnect AllowedMethods = "CONNECT"` - `const AllowedMethodsOptions AllowedMethods = "OPTIONS"` - `const AllowedMethodsTrace AllowedMethods = "TRACE"` - `const AllowedMethodsPatch AllowedMethods = "PATCH"` - `AllowedOrigins []unknown` Allowed origins. - `MaxAge float64` The maximum number of seconds the results of a preflight request can be cached. - `CreatedAt Time` - `CustomDenyMessage string` The custom error message shown to a user when they are denied access to the application. - `CustomDenyURL string` The custom URL a user is redirected to when they are denied access to the application. - `EnableBindingCookie bool` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `HTTPOnlyCookieAttribute bool` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `OptionsPreflightBypass bool` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `SameSiteCookieAttribute string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `SCIMConfig ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `ServiceAuth401Redirect bool` Returns a 401 status code when the request is blocked by a Service Auth policy. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. - `UpdatedAt Time` - `UseClientlessIsolationAppLauncherURL bool` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `ApplicationAppLauncherApplication` - `Type ApplicationAppLauncherApplicationType` The application type. - `const ApplicationAppLauncherApplicationTypeSelfHosted ApplicationAppLauncherApplicationType = "self_hosted"` - `const ApplicationAppLauncherApplicationTypeSaaS ApplicationAppLauncherApplicationType = "saas"` - `const ApplicationAppLauncherApplicationTypeSSH ApplicationAppLauncherApplicationType = "ssh"` - `const ApplicationAppLauncherApplicationTypeVNC ApplicationAppLauncherApplicationType = "vnc"` - `const ApplicationAppLauncherApplicationTypeAppLauncher ApplicationAppLauncherApplicationType = "app_launcher"` - `const ApplicationAppLauncherApplicationTypeWARP ApplicationAppLauncherApplicationType = "warp"` - `const ApplicationAppLauncherApplicationTypeBISO ApplicationAppLauncherApplicationType = "biso"` - `const ApplicationAppLauncherApplicationTypeBookmark ApplicationAppLauncherApplicationType = "bookmark"` - `const ApplicationAppLauncherApplicationTypeDashSSO ApplicationAppLauncherApplicationType = "dash_sso"` - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CreatedAt Time` - `Domain string` The domain and path that Access will secure. - `Name string` The name of the application. - `SCIMConfig ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ApplicationDeviceEnrollmentPermissionsApplication` - `Type ApplicationDeviceEnrollmentPermissionsApplicationType` The application type. - `const ApplicationDeviceEnrollmentPermissionsApplicationTypeSelfHosted ApplicationDeviceEnrollmentPermissionsApplicationType = "self_hosted"` - `const ApplicationDeviceEnrollmentPermissionsApplicationTypeSaaS ApplicationDeviceEnrollmentPermissionsApplicationType = "saas"` - `const ApplicationDeviceEnrollmentPermissionsApplicationTypeSSH ApplicationDeviceEnrollmentPermissionsApplicationType = "ssh"` - `const ApplicationDeviceEnrollmentPermissionsApplicationTypeVNC ApplicationDeviceEnrollmentPermissionsApplicationType = "vnc"` - `const ApplicationDeviceEnrollmentPermissionsApplicationTypeAppLauncher ApplicationDeviceEnrollmentPermissionsApplicationType = "app_launcher"` - `const ApplicationDeviceEnrollmentPermissionsApplicationTypeWARP ApplicationDeviceEnrollmentPermissionsApplicationType = "warp"` - `const ApplicationDeviceEnrollmentPermissionsApplicationTypeBISO ApplicationDeviceEnrollmentPermissionsApplicationType = "biso"` - `const ApplicationDeviceEnrollmentPermissionsApplicationTypeBookmark ApplicationDeviceEnrollmentPermissionsApplicationType = "bookmark"` - `const ApplicationDeviceEnrollmentPermissionsApplicationTypeDashSSO ApplicationDeviceEnrollmentPermissionsApplicationType = "dash_sso"` - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CreatedAt Time` - `Domain string` The domain and path that Access will secure. - `Name string` The name of the application. - `SCIMConfig ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ApplicationBrowserIsolationPermissionsApplication` - `Type ApplicationBrowserIsolationPermissionsApplicationType` The application type. - `const ApplicationBrowserIsolationPermissionsApplicationTypeSelfHosted ApplicationBrowserIsolationPermissionsApplicationType = "self_hosted"` - `const ApplicationBrowserIsolationPermissionsApplicationTypeSaaS ApplicationBrowserIsolationPermissionsApplicationType = "saas"` - `const ApplicationBrowserIsolationPermissionsApplicationTypeSSH ApplicationBrowserIsolationPermissionsApplicationType = "ssh"` - `const ApplicationBrowserIsolationPermissionsApplicationTypeVNC ApplicationBrowserIsolationPermissionsApplicationType = "vnc"` - `const ApplicationBrowserIsolationPermissionsApplicationTypeAppLauncher ApplicationBrowserIsolationPermissionsApplicationType = "app_launcher"` - `const ApplicationBrowserIsolationPermissionsApplicationTypeWARP ApplicationBrowserIsolationPermissionsApplicationType = "warp"` - `const ApplicationBrowserIsolationPermissionsApplicationTypeBISO ApplicationBrowserIsolationPermissionsApplicationType = "biso"` - `const ApplicationBrowserIsolationPermissionsApplicationTypeBookmark ApplicationBrowserIsolationPermissionsApplicationType = "bookmark"` - `const ApplicationBrowserIsolationPermissionsApplicationTypeDashSSO ApplicationBrowserIsolationPermissionsApplicationType = "dash_sso"` - `ID string` UUID. - `AllowedIdPs []AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `AUD string` Audience tag. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `CreatedAt Time` - `Domain string` The domain and path that Access will secure. - `Name string` The name of the application. - `SCIMConfig ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `SessionDuration string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` - `ApplicationBookmarkApplication` - `Domain string` The URL or domain of the bookmark. - `Type string` The application type. - `ID string` UUID. - `AppLauncherVisible unknown` - `AUD string` Audience tag. - `CreatedAt Time` - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the application. - `SCIMConfig ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `UpdatedAt Time` ### Application Policy - `type ApplicationPolicy struct{…}` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules ApplicationPolicyConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP ApplicationPolicyConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []ApplicationPolicyConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const ApplicationPolicyConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText ApplicationPolicyConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []ApplicationPolicyConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const ApplicationPolicyConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText ApplicationPolicyConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig ApplicationPolicyMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []ApplicationPolicyMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const ApplicationPolicyMfaConfigAllowedAuthenticatorTotp ApplicationPolicyMfaConfigAllowedAuthenticator = "totp"` - `const ApplicationPolicyMfaConfigAllowedAuthenticatorBiometrics ApplicationPolicyMfaConfigAllowedAuthenticator = "biometrics"` - `const ApplicationPolicyMfaConfigAllowedAuthenticatorSecurityKey ApplicationPolicyMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` ### Application SCIM Config - `type ApplicationSCIMConfig struct{…}` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `IdPUID string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `RemoteURI string` The base URI for the application's SCIM-compatible API. - `Authentication ApplicationSCIMConfigAuthenticationUnion` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `Password string` Password used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationHTTPBasicScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"` - `User string` User name used to authenticate with the remote SCIM service. - `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken` - `Token string` Token used to authenticate with the remote SCIM service. - `Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"` - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AuthorizationURL string` URL used to generate the auth code used during token generation. - `ClientID string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `ClientSecret string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `Scheme SCIMConfigAuthenticationOauth2Scheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"` - `TokenURL string` URL used to generate the token used to authenticate with the remote SCIM service. - `Scopes []string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken` - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthentication` - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken` - `Token string` Token used to authenticate with the remote SCIM service. - `Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"` - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken` - `ClientID string` Client ID of the Access service token used to authenticate with the remote service. - `ClientSecret string` Client secret of the Access service token used to authenticate with the remote service. - `Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"` - `DeactivateOnDelete bool` If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations. - `Enabled bool` Whether SCIM provisioning is turned on for this application. - `Mappings []SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Create bool` Whether or not this mapping applies to create (POST) operations. - `Delete bool` Whether or not this mapping applies to DELETE operations. - `Update bool` Whether or not this mapping applies to update (PATCH/PUT) operations. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"` - `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"` - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. ### Application Type - `type ApplicationType string` The application type. - `const ApplicationTypeSelfHosted ApplicationType = "self_hosted"` - `const ApplicationTypeSaaS ApplicationType = "saas"` - `const ApplicationTypeSSH ApplicationType = "ssh"` - `const ApplicationTypeVNC ApplicationType = "vnc"` - `const ApplicationTypeAppLauncher ApplicationType = "app_launcher"` - `const ApplicationTypeWARP ApplicationType = "warp"` - `const ApplicationTypeBISO ApplicationType = "biso"` - `const ApplicationTypeBookmark ApplicationType = "bookmark"` - `const ApplicationTypeDashSSO ApplicationType = "dash_sso"` - `const ApplicationTypeInfrastructure ApplicationType = "infrastructure"` - `const ApplicationTypeRDP ApplicationType = "rdp"` - `const ApplicationTypeMcp ApplicationType = "mcp"` - `const ApplicationTypeMcpPortal ApplicationType = "mcp_portal"` - `const ApplicationTypeProxyEndpoint ApplicationType = "proxy_endpoint"` ### CORS Headers - `type CORSHeaders struct{…}` - `AllowAllHeaders bool` Allows all HTTP request headers. - `AllowAllMethods bool` Allows all HTTP request methods. - `AllowAllOrigins bool` Allows all origins. - `AllowCredentials bool` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `AllowedHeaders []AllowedHeaders` Allowed HTTP request headers. - `AllowedMethods []AllowedMethods` Allowed HTTP request methods. - `const AllowedMethodsGet AllowedMethods = "GET"` - `const AllowedMethodsPost AllowedMethods = "POST"` - `const AllowedMethodsHead AllowedMethods = "HEAD"` - `const AllowedMethodsPut AllowedMethods = "PUT"` - `const AllowedMethodsDelete AllowedMethods = "DELETE"` - `const AllowedMethodsConnect AllowedMethods = "CONNECT"` - `const AllowedMethodsOptions AllowedMethods = "OPTIONS"` - `const AllowedMethodsTrace AllowedMethods = "TRACE"` - `const AllowedMethodsPatch AllowedMethods = "PATCH"` - `AllowedOrigins []AllowedOrigins` Allowed origins. - `MaxAge float64` The maximum number of seconds the results of a preflight request can be cached. ### Decision - `type Decision string` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` ### OIDC SaaS App - `type OIDCSaaSApp struct{…}` - `AccessTokenLifetime string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `AllowPKCEWithoutClientSecret bool` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `AppLauncherURL string` The URL where this applications tile redirects users - `AuthType OIDCSaaSAppAuthType` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `const OIDCSaaSAppAuthTypeSAML OIDCSaaSAppAuthType = "saml"` - `const OIDCSaaSAppAuthTypeOIDC OIDCSaaSAppAuthType = "oidc"` - `ClientID string` The application client id - `ClientSecret string` The application client secret, only returned on POST request. - `CustomClaims []OIDCSaaSAppCustomClaim` - `Name string` The name of the claim. - `Required bool` If the claim is required when building an OIDC token. - `Scope OIDCSaaSAppCustomClaimsScope` The scope of the claim. - `const OIDCSaaSAppCustomClaimsScopeGroups OIDCSaaSAppCustomClaimsScope = "groups"` - `const OIDCSaaSAppCustomClaimsScopeProfile OIDCSaaSAppCustomClaimsScope = "profile"` - `const OIDCSaaSAppCustomClaimsScopeEmail OIDCSaaSAppCustomClaimsScope = "email"` - `const OIDCSaaSAppCustomClaimsScopeOpenid OIDCSaaSAppCustomClaimsScope = "openid"` - `Source OIDCSaaSAppCustomClaimsSource` - `Name string` The name of the IdP claim. - `NameByIdP map[string, string]` A mapping from IdP ID to claim name. - `GrantTypes []OIDCSaaSAppGrantType` The OIDC flows supported by this application - `const OIDCSaaSAppGrantTypeAuthorizationCode OIDCSaaSAppGrantType = "authorization_code"` - `const OIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE OIDCSaaSAppGrantType = "authorization_code_with_pkce"` - `const OIDCSaaSAppGrantTypeRefreshTokens OIDCSaaSAppGrantType = "refresh_tokens"` - `const OIDCSaaSAppGrantTypeHybrid OIDCSaaSAppGrantType = "hybrid"` - `const OIDCSaaSAppGrantTypeImplicit OIDCSaaSAppGrantType = "implicit"` - `GroupFilterRegex string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `HybridAndImplicitOptions OIDCSaaSAppHybridAndImplicitOptions` - `ReturnAccessTokenFromAuthorizationEndpoint bool` If an Access Token should be returned from the OIDC Authorization endpoint - `ReturnIDTokenFromAuthorizationEndpoint bool` If an ID Token should be returned from the OIDC Authorization endpoint - `PublicKey string` The Access public certificate that will be used to verify your identity. - `RedirectURIs []string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `RefreshTokenOptions OIDCSaaSAppRefreshTokenOptions` - `Lifetime string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `Scopes []OIDCSaaSAppScope` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `const OIDCSaaSAppScopeOpenid OIDCSaaSAppScope = "openid"` - `const OIDCSaaSAppScopeGroups OIDCSaaSAppScope = "groups"` - `const OIDCSaaSAppScopeEmail OIDCSaaSAppScope = "email"` - `const OIDCSaaSAppScopeProfile OIDCSaaSAppScope = "profile"` ### SaaS App Name ID Format - `type SaaSAppNameIDFormat string` The format of the name identifier sent to the SaaS application. - `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"` - `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"` ### SAML SaaS App - `type SAMLSaaSApp struct{…}` - `AuthType SAMLSaaSAppAuthType` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `const SAMLSaaSAppAuthTypeSAML SAMLSaaSAppAuthType = "saml"` - `const SAMLSaaSAppAuthTypeOIDC SAMLSaaSAppAuthType = "oidc"` - `ConsumerServiceURL string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `CustomAttributes []SAMLSaaSAppCustomAttribute` - `FriendlyName string` The SAML FriendlyName of the attribute. - `Name string` The name of the attribute. - `NameFormat SAMLSaaSAppCustomAttributesNameFormat` A globally unique name for an identity or service provider. - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `Required bool` If the attribute is required when building a SAML assertion. - `Source SAMLSaaSAppCustomAttributesSource` - `Name string` The name of the IdP attribute. - `NameByIdP []SAMLSaaSAppCustomAttributesSourceNameByIdP` A mapping from IdP ID to attribute name. - `IdPID string` The UID of the IdP. - `SourceName string` The name of the IdP provided attribute. - `DefaultRelayState string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `IdPEntityID string` The unique identifier for your SaaS application. - `NameIDFormat SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"` - `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"` - `NameIDTransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `PublicKey string` The Access public certificate that will be used to verify your identity. - `SAMLAttributeTransformJsonata string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `SPEntityID string` A globally unique name for an identity or service provider. - `SSOEndpoint string` The endpoint where your SaaS application will send login requests. ### SCIM Config Authentication HTTP Basic - `type SCIMConfigAuthenticationHTTPBasic struct{…}` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `Password string` Password used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationHTTPBasicScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"` - `User string` User name used to authenticate with the remote SCIM service. ### SCIM Config Authentication OAuth Bearer Token - `type SCIMConfigAuthenticationOAuthBearerToken struct{…}` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `Token string` Token used to authenticate with the remote SCIM service. - `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"` ### SCIM Config Authentication Oauth2 - `type SCIMConfigAuthenticationOauth2 struct{…}` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AuthorizationURL string` URL used to generate the auth code used during token generation. - `ClientID string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `ClientSecret string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `Scheme SCIMConfigAuthenticationOauth2Scheme` The authentication scheme to use when making SCIM requests to this application. - `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"` - `TokenURL string` URL used to generate the token used to authenticate with the remote SCIM service. - `Scopes []string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. ### SCIM Config Mapping - `type SCIMConfigMapping struct{…}` Transformations and filters applied to resources before they are provisioned in the remote SCIM service. - `Schema string` Which SCIM resource type this mapping applies to. - `Enabled bool` Whether or not this mapping is enabled. - `Filter string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `Operations SCIMConfigMappingOperations` Whether or not this mapping applies to creates, updates, or deletes. - `Create bool` Whether or not this mapping applies to create (POST) operations. - `Delete bool` Whether or not this mapping applies to DELETE operations. - `Update bool` Whether or not this mapping applies to update (PATCH/PUT) operations. - `Strictness SCIMConfigMappingStrictness` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"` - `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"` - `TransformJsonata string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. ### Self Hosted Domains - `type SelfHostedDomains string` A domain that Access will secure. # CAs ## List short-lived certificate CAs `client.ZeroTrust.Access.Applications.CAs.List(ctx, params) (*V4PagePaginationArray[CA], error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/ca` Lists short-lived certificate CAs and their public keys. ### Parameters - `params AccessApplicationCAListParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. ### Returns - `type CA struct{…}` - `ID string` The ID of the CA. - `AUD string` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `PublicKey string` The public key to add to your SSH server configuration. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Applications.CAs.List(context.TODO(), zero_trust.AccessApplicationCAListParams{ }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a short-lived certificate CA `client.ZeroTrust.Access.Applications.CAs.Get(ctx, appID, query) (*CA, error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca` Fetches a short-lived certificate CA and its public key. ### Parameters - `appID string` UUID. - `query AccessApplicationCAGetParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type CA struct{…}` - `ID string` The ID of the CA. - `AUD string` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `PublicKey string` The public key to add to your SSH server configuration. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) ca, err := client.ZeroTrust.Access.Applications.CAs.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessApplicationCAGetParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ca.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org" } } ``` ## Create a short-lived certificate CA `client.ZeroTrust.Access.Applications.CAs.New(ctx, appID, body) (*CA, error)` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca` Generates a new short-lived certificate CA and public key. ### Parameters - `appID string` UUID. - `body AccessApplicationCANewParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type CA struct{…}` - `ID string` The ID of the CA. - `AUD string` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `PublicKey string` The public key to add to your SSH server configuration. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) ca, err := client.ZeroTrust.Access.Applications.CAs.New( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessApplicationCANewParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ca.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org" } } ``` ## Delete a short-lived certificate CA `client.ZeroTrust.Access.Applications.CAs.Delete(ctx, appID, body) (*AccessApplicationCADeleteResponse, error)` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca` Deletes a short-lived certificate CA. ### Parameters - `appID string` UUID. - `body AccessApplicationCADeleteParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type AccessApplicationCADeleteResponse struct{…}` - `ID string` The ID of the CA. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) ca, err := client.ZeroTrust.Access.Applications.CAs.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessApplicationCADeleteParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ca.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9" } } ``` ## Domain Types ### CA - `type CA struct{…}` - `ID string` The ID of the CA. - `AUD string` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `PublicKey string` The public key to add to your SSH server configuration. # User Policy Checks ## Test Access policies `client.ZeroTrust.Access.Applications.UserPolicyChecks.List(ctx, appID, query) (*AccessApplicationUserPolicyCheckListResponse, error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/user_policy_checks` Tests if a specific user has permission to access an application. ### Parameters - `AppID AppID` Identifier. - `query AccessApplicationUserPolicyCheckListParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type AccessApplicationUserPolicyCheckListResponse struct{…}` - `AppState AccessApplicationUserPolicyCheckListResponseAppState` - `AppUID string` UUID. - `AUD string` - `Hostname string` - `Name string` - `Policies []unknown` - `Status string` - `UserIdentity AccessApplicationUserPolicyCheckListResponseUserIdentity` - `ID string` - `AccountID string` - `DeviceSessions unknown` - `Email string` - `Geo UserPolicyCheckGeo` - `Country string` - `Iat int64` - `IsGateway bool` - `IsWARP bool` - `Name string` - `UserUUID string` UUID. - `Version int64` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) userPolicyChecks, err := client.ZeroTrust.Access.Applications.UserPolicyChecks.List( context.TODO(), "023e105f4ecef8ad9ca31a8372d0c353", zero_trust.AccessApplicationUserPolicyCheckListParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", userPolicyChecks.UserIdentity) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "app_state": { "app_uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe389", "hostname": "test.com", "name": "Test App", "policies": [ { "decision": "allow", "exclude": [], "include": [ { "_type": "email", "email": "testuser@gmail.com" } ], "precedence": 1, "require": [], "status": "Success" } ], "status": "Success" }, "user_identity": { "id": "1164449231815010287495", "account_id": "41ecfbb341f033e52b46742756aabb8b", "device_sessions": {}, "email": "testuser@gmail.com", "geo": { "country": "US" }, "iat": 0, "is_gateway": false, "is_warp": false, "name": "Test User", "user_uuid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "version": 0 } } } ``` ## Domain Types ### User Policy Check Geo - `type UserPolicyCheckGeo struct{…}` - `Country string` # Policies ## List Access application policies `client.ZeroTrust.Access.Applications.Policies.List(ctx, appID, params) (*V4PagePaginationArray[AccessApplicationPolicyListResponse], error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies` Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application. ### Parameters - `appID string` UUID. - `params AccessApplicationPolicyListParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. ### Returns - `type AccessApplicationPolicyListResponse struct{…}` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationPolicyListResponseConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationPolicyListResponseConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyListResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationPolicyListResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyListResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyListResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationPolicyListResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyListResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationPolicyListResponseMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Applications.Policies.List( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessApplicationPolicyListParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access application policy `client.ZeroTrust.Access.Applications.Policies.Get(ctx, appID, policyID, query) (*AccessApplicationPolicyGetResponse, error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}` Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application. ### Parameters - `appID string` UUID. - `policyID string` UUID. - `query AccessApplicationPolicyGetParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type AccessApplicationPolicyGetResponse struct{…}` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationPolicyGetResponseConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationPolicyGetResponseConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyGetResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationPolicyGetResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyGetResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyGetResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationPolicyGetResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyGetResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationPolicyGetResponseMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIKey("144c9defac04969c7bfad8efaa8ea194"), option.WithAPIEmail("user@example.com"), ) policy, err := client.ZeroTrust.Access.Applications.Policies.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessApplicationPolicyGetParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", policy.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create an Access application policy `client.ZeroTrust.Access.Applications.Policies.New(ctx, appID, params) (*AccessApplicationPolicyNewResponse, error)` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies` Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array. ### Parameters - `appID string` UUID. - `params AccessApplicationPolicyNewParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `ApprovalGroups param.Field[[]ApprovalGroup]` Body param: Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired param.Field[bool]` Body param: Requires the user to request access from an administrator at the start of each session. - `ConnectionRules param.Field[AccessApplicationPolicyNewParamsConnectionRules]` Body param: The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationPolicyNewParamsConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyNewParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationPolicyNewParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyNewParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyNewParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationPolicyNewParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyNewParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `IsolationRequired param.Field[bool]` Body param: Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig param.Field[AccessApplicationPolicyNewParamsMfaConfig]` Body param: Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Precedence param.Field[int64]` Body param: The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt param.Field[string]` Body param: A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired param.Field[bool]` Body param: Require users to enter a justification when they log in to the application. - `SessionDuration param.Field[string]` Body param: The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `type AccessApplicationPolicyNewResponse struct{…}` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationPolicyNewResponseConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationPolicyNewResponseConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyNewResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationPolicyNewResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyNewResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyNewResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationPolicyNewResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyNewResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationPolicyNewResponseMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) policy, err := client.ZeroTrust.Access.Applications.Policies.New( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessApplicationPolicyNewParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", policy.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an Access application policy `client.ZeroTrust.Access.Applications.Policies.Update(ctx, appID, policyID, params) (*AccessApplicationPolicyUpdateResponse, error)` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}` Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint. ### Parameters - `appID string` UUID. - `policyID string` UUID. - `params AccessApplicationPolicyUpdateParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `ApprovalGroups param.Field[[]ApprovalGroup]` Body param: Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired param.Field[bool]` Body param: Requires the user to request access from an administrator at the start of each session. - `ConnectionRules param.Field[AccessApplicationPolicyUpdateParamsConnectionRules]` Body param: The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationPolicyUpdateParamsConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyUpdateParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationPolicyUpdateParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyUpdateParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyUpdateParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationPolicyUpdateParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyUpdateParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `IsolationRequired param.Field[bool]` Body param: Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig param.Field[AccessApplicationPolicyUpdateParamsMfaConfig]` Body param: Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Precedence param.Field[int64]` Body param: The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt param.Field[string]` Body param: A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired param.Field[bool]` Body param: Require users to enter a justification when they log in to the application. - `SessionDuration param.Field[string]` Body param: The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `type AccessApplicationPolicyUpdateResponse struct{…}` - `ID string` The UUID of the policy - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationPolicyUpdateResponseConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationPolicyUpdateResponseConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyUpdateResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationPolicyUpdateResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyUpdateResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyUpdateResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationPolicyUpdateResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyUpdateResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationPolicyUpdateResponseMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy within an app. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) policy, err := client.ZeroTrust.Access.Applications.Policies.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessApplicationPolicyUpdateParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", policy.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an Access application policy `client.ZeroTrust.Access.Applications.Policies.Delete(ctx, appID, policyID, body) (*AccessApplicationPolicyDeleteResponse, error)` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}` Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint. ### Parameters - `appID string` UUID. - `policyID string` UUID. - `body AccessApplicationPolicyDeleteParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type AccessApplicationPolicyDeleteResponse struct{…}` - `ID string` UUID. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) policy, err := client.ZeroTrust.Access.Applications.Policies.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessApplicationPolicyDeleteParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", policy.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Access Device Posture Rule - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. ### Access Rule - `type AccessRule interface{…}` Matches an Access group. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` ### Any Valid Service Token Rule - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. ### Authentication Method Rule - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. ### Azure Group Rule - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. ### Certificate Rule - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` ### Country Rule - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. ### Domain Rule - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. ### Email List Rule - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. ### Email Rule - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. ### Everyone Rule - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. ### External Evaluation Rule - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. ### GitHub Organization Rule - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team ### Group Rule - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. ### GSuite Group Rule - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. ### IP List Rule - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. ### IP Rule - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. ### Okta Group Rule - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. ### SAML Group Rule - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. ### Service Token Rule - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. # Policy Tests ## Get the current status of a given Access policy test `client.ZeroTrust.Access.Applications.PolicyTests.Get(ctx, policyTestID, query) (*AccessApplicationPolicyTestGetResponse, error)` **get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}` Fetches the current status of a given Access policy test. ### Parameters - `policyTestID string` The UUID of the policy test. - `query AccessApplicationPolicyTestGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessApplicationPolicyTestGetResponse struct{…}` - `ID string` The UUID of the policy test. - `PercentApproved int64` The percentage of (processed) users approved based on policy evaluation results. - `PercentBlocked int64` The percentage of (processed) users blocked based on policy evaluation results. - `PercentErrored int64` The percentage of (processed) users errored based on policy evaluation results. - `PercentUsersProcessed int64` The percentage of users processed so far (of the entire user base). - `Status AccessApplicationPolicyTestGetResponseStatus` The status of the policy test. - `const AccessApplicationPolicyTestGetResponseStatusBlocked AccessApplicationPolicyTestGetResponseStatus = "blocked"` - `const AccessApplicationPolicyTestGetResponseStatusProcessing AccessApplicationPolicyTestGetResponseStatus = "processing"` - `const AccessApplicationPolicyTestGetResponseStatusExceededTime AccessApplicationPolicyTestGetResponseStatus = "exceeded time"` - `const AccessApplicationPolicyTestGetResponseStatusComplete AccessApplicationPolicyTestGetResponseStatus = "complete"` - `TotalUsers int64` The total number of users in the user base. - `UsersApproved int64` The number of (processed) users approved based on policy evaluation results. - `UsersBlocked int64` The number of (processed) users blocked based on policy evaluation results. - `UsersErrored int64` The number of (processed) users errored based on policy evaluation results. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) policyTest, err := client.ZeroTrust.Access.Applications.PolicyTests.Get( context.TODO(), "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6", zero_trust.AccessApplicationPolicyTestGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", policyTest.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6", "percent_approved": 25, "percent_blocked": 25, "percent_errored": 25, "percent_users_processed": 50, "status": "complete", "total_users": 20, "users_approved": 5, "users_blocked": 5, "users_errored": 5 } } ``` ## Start Access policy test `client.ZeroTrust.Access.Applications.PolicyTests.New(ctx, params) (*AccessApplicationPolicyTestNewResponse, error)` **post** `/accounts/{account_id}/access/policy-tests` Starts an Access policy test. ### Parameters - `params AccessApplicationPolicyTestNewParams` - `AccountID param.Field[string]` Path param: Identifier. - `Policies param.Field[[]AccessApplicationPolicyTestNewParamsPolicyUnion]` Body param - `type AccessApplicationPolicyTestNewParamsPoliciesObject struct{…}` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Name string` The name of the Access policy. - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticator = "totp"` - `const AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UnionString` ### Returns - `type AccessApplicationPolicyTestNewResponse struct{…}` - `ID string` The UUID of the policy test. - `Status AccessApplicationPolicyTestNewResponseStatus` The status of the policy test request. - `const AccessApplicationPolicyTestNewResponseStatusSuccess AccessApplicationPolicyTestNewResponseStatus = "success"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) policyTest, err := client.ZeroTrust.Access.Applications.PolicyTests.New(context.TODO(), zero_trust.AccessApplicationPolicyTestNewParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", policyTest.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6", "status": "success" } } ``` # Users ## Get an Access policy test users page `client.ZeroTrust.Access.Applications.PolicyTests.Users.List(ctx, policyTestID, params) (*V4PagePaginationArray[AccessApplicationPolicyTestUserListResponse], error)` **get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}/users` Fetches a single page of user results from an Access policy test. ### Parameters - `policyTestID string` The UUID of the policy test. - `params AccessApplicationPolicyTestUserListParams` - `AccountID param.Field[string]` Path param: Identifier. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param - `Status param.Field[AccessApplicationPolicyTestUserListParamsStatus]` Query param: Filter users by their policy evaluation status. - `const AccessApplicationPolicyTestUserListParamsStatusSuccess AccessApplicationPolicyTestUserListParamsStatus = "success"` - `const AccessApplicationPolicyTestUserListParamsStatusFail AccessApplicationPolicyTestUserListParamsStatus = "fail"` - `const AccessApplicationPolicyTestUserListParamsStatusError AccessApplicationPolicyTestUserListParamsStatus = "error"` ### Returns - `type AccessApplicationPolicyTestUserListResponse struct{…}` - `ID string` UUID. - `Email string` The email of the user. - `Name string` The name of the user. - `Status AccessApplicationPolicyTestUserListResponseStatus` Policy evaluation result for an individual user. - `const AccessApplicationPolicyTestUserListResponseStatusApproved AccessApplicationPolicyTestUserListResponseStatus = "approved"` - `const AccessApplicationPolicyTestUserListResponseStatusBlocked AccessApplicationPolicyTestUserListResponseStatus = "blocked"` - `const AccessApplicationPolicyTestUserListResponseStatusError AccessApplicationPolicyTestUserListResponseStatus = "error"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Applications.PolicyTests.Users.List( context.TODO(), "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6", zero_trust.AccessApplicationPolicyTestUserListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "jdoe@example.com", "name": "Jane Doe", "status": "approved" } ] } ``` # Settings ## Update Access application settings `client.ZeroTrust.Access.Applications.Settings.Update(ctx, appID, params) (*AccessApplicationSettingUpdateResponse, error)` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings` Updates Access application settings. ### Parameters - `AppID AppID` Identifier. - `params AccessApplicationSettingUpdateParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `AllowIframe param.Field[bool]` Body param: Enables loading application content in an iFrame. - `SkipInterstitial param.Field[bool]` Body param: Enables automatic authentication through cloudflared. ### Returns - `type AccessApplicationSettingUpdateResponse struct{…}` - `AllowIframe bool` Enables loading application content in an iFrame. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) setting, err := client.ZeroTrust.Access.Applications.Settings.Update( context.TODO(), "023e105f4ecef8ad9ca31a8372d0c353", zero_trust.AccessApplicationSettingUpdateParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", setting.AllowIframe) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_iframe": true, "skip_interstitial": true } } ``` ## Update Access application settings `client.ZeroTrust.Access.Applications.Settings.Edit(ctx, appID, params) (*AccessApplicationSettingEditResponse, error)` **patch** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings` Updates Access application settings. ### Parameters - `AppID AppID` Identifier. - `params AccessApplicationSettingEditParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `AllowIframe param.Field[bool]` Body param: Enables loading application content in an iFrame. - `SkipInterstitial param.Field[bool]` Body param: Enables automatic authentication through cloudflared. ### Returns - `type AccessApplicationSettingEditResponse struct{…}` - `AllowIframe bool` Enables loading application content in an iFrame. - `SkipInterstitial bool` Enables automatic authentication through cloudflared. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Access.Applications.Settings.Edit( context.TODO(), "023e105f4ecef8ad9ca31a8372d0c353", zero_trust.AccessApplicationSettingEditParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.AllowIframe) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_iframe": true, "skip_interstitial": true } } ``` # Certificates ## List mTLS certificates `client.ZeroTrust.Access.Certificates.List(ctx, params) (*V4PagePaginationArray[Certificate], error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates` Lists all mTLS root certificates. ### Parameters - `params AccessCertificateListParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. ### Returns - `type Certificate struct{…}` - `ID string` The ID of the application that will use this certificate. - `AssociatedHostnames []AssociatedHostnames` The hostnames of the applications that will use this certificate. - `ExpiresOn Time` - `Fingerprint string` The MD5 fingerprint of the certificate. - `Name string` The name of the certificate. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Certificates.List(context.TODO(), zero_trust.AccessCertificateListParams{ }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an mTLS certificate `client.ZeroTrust.Access.Certificates.Get(ctx, certificateID, query) (*Certificate, error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}` Fetches a single mTLS certificate. ### Parameters - `certificateID string` UUID. - `query AccessCertificateGetParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type Certificate struct{…}` - `ID string` The ID of the application that will use this certificate. - `AssociatedHostnames []AssociatedHostnames` The hostnames of the applications that will use this certificate. - `ExpiresOn Time` - `Fingerprint string` The MD5 fingerprint of the certificate. - `Name string` The name of the certificate. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) certificate, err := client.ZeroTrust.Access.Certificates.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessCertificateGetParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", certificate.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Add an mTLS certificate `client.ZeroTrust.Access.Certificates.New(ctx, params) (*Certificate, error)` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates` Adds a new mTLS root certificate to Access. ### Parameters - `params AccessCertificateNewParams` - `Certificate param.Field[string]` Body param: The certificate content. - `Name param.Field[string]` Body param: The name of the certificate. - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `AssociatedHostnames param.Field[[]AssociatedHostnames]` Body param: The hostnames of the applications that will use this certificate. ### Returns - `type Certificate struct{…}` - `ID string` The ID of the application that will use this certificate. - `AssociatedHostnames []AssociatedHostnames` The hostnames of the applications that will use this certificate. - `ExpiresOn Time` - `Fingerprint string` The MD5 fingerprint of the certificate. - `Name string` The name of the certificate. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) certificate, err := client.ZeroTrust.Access.Certificates.New(context.TODO(), zero_trust.AccessCertificateNewParams{ Certificate: cloudflare.F("-----BEGIN CERTIFICATE-----\nMIIGAjCCA+qgAwIBAgIJAI7kymlF7CWT...N4RI7KKB7nikiuUf8vhULKy5IX10\nDrUtmu/B\n-----END CERTIFICATE-----"), Name: cloudflare.F("Allow devs"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", certificate.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an mTLS certificate `client.ZeroTrust.Access.Certificates.Update(ctx, certificateID, params) (*Certificate, error)` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}` Updates a configured mTLS certificate. ### Parameters - `certificateID string` UUID. - `params AccessCertificateUpdateParams` - `AssociatedHostnames param.Field[[]AssociatedHostnames]` Body param: The hostnames of the applications that will use this certificate. - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `Name param.Field[string]` Body param: The name of the certificate. ### Returns - `type Certificate struct{…}` - `ID string` The ID of the application that will use this certificate. - `AssociatedHostnames []AssociatedHostnames` The hostnames of the applications that will use this certificate. - `ExpiresOn Time` - `Fingerprint string` The MD5 fingerprint of the certificate. - `Name string` The name of the certificate. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) certificate, err := client.ZeroTrust.Access.Certificates.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessCertificateUpdateParams{ AssociatedHostnames: cloudflare.F([]zero_trust.AssociatedHostnamesParam{"admin.example.com"}), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", certificate.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an mTLS certificate `client.ZeroTrust.Access.Certificates.Delete(ctx, certificateID, body) (*AccessCertificateDeleteResponse, error)` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}` Deletes an mTLS certificate. ### Parameters - `certificateID string` UUID. - `body AccessCertificateDeleteParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type AccessCertificateDeleteResponse struct{…}` - `ID string` UUID. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) certificate, err := client.ZeroTrust.Access.Certificates.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessCertificateDeleteParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", certificate.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Associated Hostnames - `type AssociatedHostnames string` A fully-qualified domain name (FQDN). ### Certificate - `type Certificate struct{…}` - `ID string` The ID of the application that will use this certificate. - `AssociatedHostnames []AssociatedHostnames` The hostnames of the applications that will use this certificate. - `ExpiresOn Time` - `Fingerprint string` The MD5 fingerprint of the certificate. - `Name string` The name of the certificate. # Settings ## List all mTLS hostname settings `client.ZeroTrust.Access.Certificates.Settings.Get(ctx, query) (*SinglePage[CertificateSettings], error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings` List all mTLS hostname settings for this account or zone. ### Parameters - `query AccessCertificateSettingGetParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type CertificateSettings struct{…}` - `ChinaNetwork bool` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `ClientCertificateForwarding bool` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `Hostname string` The hostname that these settings apply to. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Certificates.Settings.Get(context.TODO(), zero_trust.AccessCertificateSettingGetParams{ }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "china_network": false, "client_certificate_forwarding": true, "hostname": "admin.example.com" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Update an mTLS certificate's hostname settings `client.ZeroTrust.Access.Certificates.Settings.Update(ctx, params) (*SinglePage[CertificateSettings], error)` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings` Updates an mTLS certificate's hostname settings. ### Parameters - `params AccessCertificateSettingUpdateParams` - `Settings param.Field[[]CertificateSettings]` Body param - `ChinaNetwork bool` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `ClientCertificateForwarding bool` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `Hostname string` The hostname that these settings apply to. - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type CertificateSettings struct{…}` - `ChinaNetwork bool` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `ClientCertificateForwarding bool` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `Hostname string` The hostname that these settings apply to. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Certificates.Settings.Update(context.TODO(), zero_trust.AccessCertificateSettingUpdateParams{ Settings: cloudflare.F([]zero_trust.CertificateSettingsParam{zero_trust.CertificateSettingsParam{ ChinaNetwork: cloudflare.F(false), ClientCertificateForwarding: cloudflare.F(true), Hostname: cloudflare.F("admin.example.com"), }}), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "china_network": false, "client_certificate_forwarding": true, "hostname": "admin.example.com" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Certificate Settings - `type CertificateSettings struct{…}` - `ChinaNetwork bool` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `ClientCertificateForwarding bool` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `Hostname string` The hostname that these settings apply to. # Groups ## List Access groups `client.ZeroTrust.Access.Groups.List(ctx, params) (*V4PagePaginationArray[AccessGroupListResponse], error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups` Lists all Access groups. ### Parameters - `params AccessGroupListParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `Name param.Field[string]` Query param: The name of the group. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. - `Search param.Field[string]` Query param: Search for groups by other listed query parameters. ### Returns - `type AccessGroupListResponse struct{…}` - `ID string` UUID. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsDefault []AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Name string` The name of the Access group. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Groups.List(context.TODO(), zero_trust.AccessGroupListParams{ }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access group `client.ZeroTrust.Access.Groups.Get(ctx, groupID, query) (*AccessGroupGetResponse, error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}` Fetches a single Access group. ### Parameters - `groupID string` UUID. - `query AccessGroupGetParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type AccessGroupGetResponse struct{…}` - `ID string` UUID. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsDefault []AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Name string` The name of the Access group. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) group, err := client.ZeroTrust.Access.Groups.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessGroupGetParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", group.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create an Access group `client.ZeroTrust.Access.Groups.New(ctx, params) (*AccessGroupNewResponse, error)` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/groups` Creates a new Access group. ### Parameters - `params AccessGroupNewParams` - `Include param.Field[[]AccessRule]` Body param: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Name param.Field[string]` Body param: The name of the Access group. - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `Exclude param.Field[[]AccessRule]` Body param: Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsDefault param.Field[bool]` Body param: Whether this is the default group - `Require param.Field[[]AccessRule]` Body param: Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. ### Returns - `type AccessGroupNewResponse struct{…}` - `ID string` UUID. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsDefault []AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Name string` The name of the Access group. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) group, err := client.ZeroTrust.Access.Groups.New(context.TODO(), zero_trust.AccessGroupNewParams{ Include: cloudflare.F([]zero_trust.AccessRuleUnionParam{zero_trust.GroupRuleParam{ Group: cloudflare.F(zero_trust.GroupRuleGroupParam{ ID: cloudflare.F("aa0a4aab-672b-4bdb-bc33-a59f1130a11f"), }), }}), Name: cloudflare.F("Allow devs"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", group.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an Access group `client.ZeroTrust.Access.Groups.Update(ctx, groupID, params) (*AccessGroupUpdateResponse, error)` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}` Updates a configured Access group. ### Parameters - `groupID string` UUID. - `params AccessGroupUpdateParams` - `Include param.Field[[]AccessRule]` Body param: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Name param.Field[string]` Body param: The name of the Access group. - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `Exclude param.Field[[]AccessRule]` Body param: Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsDefault param.Field[bool]` Body param: Whether this is the default group - `Require param.Field[[]AccessRule]` Body param: Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. ### Returns - `type AccessGroupUpdateResponse struct{…}` - `ID string` UUID. - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsDefault []AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Name string` The name of the Access group. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) group, err := client.ZeroTrust.Access.Groups.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessGroupUpdateParams{ Include: cloudflare.F([]zero_trust.AccessRuleUnionParam{zero_trust.GroupRuleParam{ Group: cloudflare.F(zero_trust.GroupRuleGroupParam{ ID: cloudflare.F("aa0a4aab-672b-4bdb-bc33-a59f1130a11f"), }), }}), Name: cloudflare.F("Allow devs"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", group.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an Access group `client.ZeroTrust.Access.Groups.Delete(ctx, groupID, body) (*AccessGroupDeleteResponse, error)` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}` Deletes an Access group. ### Parameters - `groupID string` UUID. - `body AccessGroupDeleteParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type AccessGroupDeleteResponse struct{…}` - `ID string` UUID. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) group, err := client.ZeroTrust.Access.Groups.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessGroupDeleteParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", group.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Zero Trust Group - `type ZeroTrustGroup struct{…}` - `ID string` The unique Cloudflare-generated Id of the SCIM resource. - `DisplayName string` The display name of the SCIM Group resource. - `ExternalID string` The IdP-generated Id of the SCIM resource. - `Meta ZeroTrustGroupMeta` The metadata of the SCIM resource. - `Created Time` The timestamp of when the SCIM resource was created. - `LastModified Time` The timestamp of when the SCIM resource was last modified. - `Schemas []string` The list of URIs which indicate the attributes contained within a SCIM resource. # Service Tokens ## List service tokens `client.ZeroTrust.Access.ServiceTokens.List(ctx, params) (*V4PagePaginationArray[ServiceToken], error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens` Lists all service tokens. ### Parameters - `params AccessServiceTokenListParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `Name param.Field[string]` Query param: The name of the service token. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. - `Search param.Field[string]` Query param: Search for service tokens by other listed query parameters. ### Returns - `type ServiceToken struct{…}` - `ID string` The ID of the service token. - `ClientID string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `Duration string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `ExpiresAt Time` - `Name string` The name of the service token. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.ServiceTokens.List(context.TODO(), zero_trust.AccessServiceTokenListParams{ }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a service token `client.ZeroTrust.Access.ServiceTokens.Get(ctx, serviceTokenID, query) (*ServiceToken, error)` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}` Fetches a single service token. ### Parameters - `serviceTokenID string` UUID. - `query AccessServiceTokenGetParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type ServiceToken struct{…}` - `ID string` The ID of the service token. - `ClientID string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `Duration string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `ExpiresAt Time` - `Name string` The name of the service token. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) serviceToken, err := client.ZeroTrust.Access.ServiceTokens.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessServiceTokenGetParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", serviceToken.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a service token `client.ZeroTrust.Access.ServiceTokens.New(ctx, params) (*AccessServiceTokenNewResponse, error)` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens` Generates a new service token. **Note:** This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token. ### Parameters - `params AccessServiceTokenNewParams` - `Name param.Field[string]` Body param: The name of the service token. - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `ClientSecretVersion param.Field[float64]` Body param: A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`. - `Duration param.Field[string]` Body param: The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `PreviousClientSecretExpiresAt param.Field[Time]` Body param: The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise. ### Returns - `type AccessServiceTokenNewResponse struct{…}` - `ID string` The ID of the service token. - `ClientID string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `ClientSecret string` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `Duration string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `Name string` The name of the service token. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) serviceToken, err := client.ZeroTrust.Access.ServiceTokens.New(context.TODO(), zero_trust.AccessServiceTokenNewParams{ Name: cloudflare.F("CI/CD token"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", serviceToken.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a service token `client.ZeroTrust.Access.ServiceTokens.Update(ctx, serviceTokenID, params) (*ServiceToken, error)` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}` Updates a configured service token. ### Parameters - `serviceTokenID string` UUID. - `params AccessServiceTokenUpdateParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `ClientSecretVersion param.Field[float64]` Body param: A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`. - `Duration param.Field[string]` Body param: The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `Name param.Field[string]` Body param: The name of the service token. - `PreviousClientSecretExpiresAt param.Field[Time]` Body param: The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise. ### Returns - `type ServiceToken struct{…}` - `ID string` The ID of the service token. - `ClientID string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `Duration string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `ExpiresAt Time` - `Name string` The name of the service token. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) serviceToken, err := client.ZeroTrust.Access.ServiceTokens.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessServiceTokenUpdateParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", serviceToken.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a service token `client.ZeroTrust.Access.ServiceTokens.Delete(ctx, serviceTokenID, body) (*ServiceToken, error)` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}` Deletes a service token. ### Parameters - `serviceTokenID string` UUID. - `body AccessServiceTokenDeleteParams` - `AccountID param.Field[string]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `type ServiceToken struct{…}` - `ID string` The ID of the service token. - `ClientID string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `Duration string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `ExpiresAt Time` - `Name string` The name of the service token. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) serviceToken, err := client.ZeroTrust.Access.ServiceTokens.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessServiceTokenDeleteParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", serviceToken.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Refresh a service token `client.ZeroTrust.Access.ServiceTokens.Refresh(ctx, serviceTokenID, body) (*ServiceToken, error)` **post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/refresh` Refreshes the expiration of a service token. ### Parameters - `serviceTokenID string` UUID. - `body AccessServiceTokenRefreshParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type ServiceToken struct{…}` - `ID string` The ID of the service token. - `ClientID string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `Duration string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `ExpiresAt Time` - `Name string` The name of the service token. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) serviceToken, err := client.ZeroTrust.Access.ServiceTokens.Refresh( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessServiceTokenRefreshParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", serviceToken.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Rotate a service token `client.ZeroTrust.Access.ServiceTokens.Rotate(ctx, serviceTokenID, params) (*AccessServiceTokenRotateResponse, error)` **post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/rotate` Generates a new Client Secret for a service token and revokes the old one. ### Parameters - `serviceTokenID string` UUID. - `params AccessServiceTokenRotateParams` - `AccountID param.Field[string]` Path param: Identifier. - `PreviousClientSecretExpiresAt param.Field[Time]` Body param: The expiration of the previous `client_secret`. If not provided, it defaults to the current timestamp in order to immediately expire the previous secret. ### Returns - `type AccessServiceTokenRotateResponse struct{…}` - `ID string` The ID of the service token. - `ClientID string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `ClientSecret string` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `Duration string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `Name string` The name of the service token. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Access.ServiceTokens.Rotate( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessServiceTokenRotateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Service Token - `type ServiceToken struct{…}` - `ID string` The ID of the service token. - `ClientID string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `Duration string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `ExpiresAt Time` - `Name string` The name of the service token. # Bookmarks ## List Bookmark applications `client.ZeroTrust.Access.Bookmarks.List(ctx, query) (*SinglePage[Bookmark], error)` **get** `/accounts/{account_id}/access/bookmarks` Lists Bookmark applications. ### Parameters - `query AccessBookmarkListParams` - `AccountID param.Field[string]` ### Returns - `type Bookmark struct{…}` - `ID string` The unique identifier for the Bookmark application. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `Domain string` The domain of the Bookmark application. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the Bookmark application. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Bookmarks.List(context.TODO(), zero_trust.AccessBookmarkListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a Bookmark application `client.ZeroTrust.Access.Bookmarks.Get(ctx, bookmarkID, query) (*Bookmark, error)` **get** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Fetches a single Bookmark application. ### Parameters - `bookmarkID string` UUID. - `query AccessBookmarkGetParams` - `AccountID param.Field[string]` ### Returns - `type Bookmark struct{…}` - `ID string` The unique identifier for the Bookmark application. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `Domain string` The domain of the Bookmark application. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the Bookmark application. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) bookmark, err := client.ZeroTrust.Access.Bookmarks.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessBookmarkGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", bookmark.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a Bookmark application `client.ZeroTrust.Access.Bookmarks.New(ctx, bookmarkID, params) (*Bookmark, error)` **post** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Create a new Bookmark application. ### Parameters - `bookmarkID string` UUID. - `params AccessBookmarkNewParams` - `AccountID param.Field[string]` Path param - `Body param.Field[unknown]` Body param ### Returns - `type Bookmark struct{…}` - `ID string` The unique identifier for the Bookmark application. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `Domain string` The domain of the Bookmark application. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the Bookmark application. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) bookmark, err := client.ZeroTrust.Access.Bookmarks.New( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessBookmarkNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: map[string]interface{}{ }, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", bookmark.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a Bookmark application `client.ZeroTrust.Access.Bookmarks.Update(ctx, bookmarkID, params) (*Bookmark, error)` **put** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Updates a configured Bookmark application. ### Parameters - `bookmarkID string` UUID. - `params AccessBookmarkUpdateParams` - `AccountID param.Field[string]` Path param - `Body param.Field[unknown]` Body param ### Returns - `type Bookmark struct{…}` - `ID string` The unique identifier for the Bookmark application. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `Domain string` The domain of the Bookmark application. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the Bookmark application. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) bookmark, err := client.ZeroTrust.Access.Bookmarks.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessBookmarkUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: map[string]interface{}{ }, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", bookmark.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a Bookmark application `client.ZeroTrust.Access.Bookmarks.Delete(ctx, bookmarkID, body) (*AccessBookmarkDeleteResponse, error)` **delete** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Deletes a Bookmark application. ### Parameters - `bookmarkID string` UUID. - `body AccessBookmarkDeleteParams` - `AccountID param.Field[string]` ### Returns - `type AccessBookmarkDeleteResponse struct{…}` - `ID string` UUID. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) bookmark, err := client.ZeroTrust.Access.Bookmarks.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessBookmarkDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", bookmark.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Bookmark - `type Bookmark struct{…}` - `ID string` The unique identifier for the Bookmark application. - `AppLauncherVisible bool` Displays the application in the App Launcher. - `Domain string` The domain of the Bookmark application. - `LogoURL string` The image URL for the logo shown in the App Launcher dashboard. - `Name string` The name of the Bookmark application. # Keys ## Get the Access key configuration `client.ZeroTrust.Access.Keys.Get(ctx, query) (*AccessKeyGetResponse, error)` **get** `/accounts/{account_id}/access/keys` Gets the Access key rotation settings for an account. ### Parameters - `query AccessKeyGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessKeyGetResponse struct{…}` - `DaysUntilNextRotation float64` The number of days until the next key rotation. - `KeyRotationIntervalDays float64` The number of days between key rotations. - `LastKeyRotationAt Time` The timestamp of the previous key rotation. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) key, err := client.ZeroTrust.Access.Keys.Get(context.TODO(), zero_trust.AccessKeyGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", key.DaysUntilNextRotation) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "days_until_next_rotation": 1, "key_rotation_interval_days": 30, "last_key_rotation_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update the Access key configuration `client.ZeroTrust.Access.Keys.Update(ctx, params) (*AccessKeyUpdateResponse, error)` **put** `/accounts/{account_id}/access/keys` Updates the Access key rotation settings for an account. ### Parameters - `params AccessKeyUpdateParams` - `AccountID param.Field[string]` Path param: Identifier. - `KeyRotationIntervalDays param.Field[float64]` Body param: The number of days between key rotations. ### Returns - `type AccessKeyUpdateResponse struct{…}` - `DaysUntilNextRotation float64` The number of days until the next key rotation. - `KeyRotationIntervalDays float64` The number of days between key rotations. - `LastKeyRotationAt Time` The timestamp of the previous key rotation. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) key, err := client.ZeroTrust.Access.Keys.Update(context.TODO(), zero_trust.AccessKeyUpdateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), KeyRotationIntervalDays: cloudflare.F(30.000000), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", key.DaysUntilNextRotation) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "days_until_next_rotation": 1, "key_rotation_interval_days": 30, "last_key_rotation_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Rotate Access keys `client.ZeroTrust.Access.Keys.Rotate(ctx, body) (*AccessKeyRotateResponse, error)` **post** `/accounts/{account_id}/access/keys/rotate` Perfoms a key rotation for an account. ### Parameters - `body AccessKeyRotateParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessKeyRotateResponse struct{…}` - `DaysUntilNextRotation float64` The number of days until the next key rotation. - `KeyRotationIntervalDays float64` The number of days between key rotations. - `LastKeyRotationAt Time` The timestamp of the previous key rotation. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Access.Keys.Rotate(context.TODO(), zero_trust.AccessKeyRotateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.DaysUntilNextRotation) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "days_until_next_rotation": 1, "key_rotation_interval_days": 30, "last_key_rotation_at": "2014-01-01T05:20:00.12345Z" } } ``` # Logs # Access Requests ## Get Access authentication logs `client.ZeroTrust.Access.Logs.AccessRequests.List(ctx, params) (*[]AccessRequest, error)` **get** `/accounts/{account_id}/access/logs/access_requests` Gets a list of Access authentication audit logs for an account. ### Parameters - `params AccessLogAccessRequestListParams` - `AccountID param.Field[string]` Path param: Identifier. - `AllowedOp param.Field[AccessLogAccessRequestListParamsAllowedOp]` Query param: Operator for the `allowed` filter. - `const AccessLogAccessRequestListParamsAllowedOpEq AccessLogAccessRequestListParamsAllowedOp = "eq"` - `const AccessLogAccessRequestListParamsAllowedOpNeq AccessLogAccessRequestListParamsAllowedOp = "neq"` - `AppTypeOp param.Field[AccessLogAccessRequestListParamsAppTypeOp]` Query param: Operator for the `app_type` filter. - `const AccessLogAccessRequestListParamsAppTypeOpEq AccessLogAccessRequestListParamsAppTypeOp = "eq"` - `const AccessLogAccessRequestListParamsAppTypeOpNeq AccessLogAccessRequestListParamsAppTypeOp = "neq"` - `AppUIDOp param.Field[AccessLogAccessRequestListParamsAppUIDOp]` Query param: Operator for the `app_uid` filter. - `const AccessLogAccessRequestListParamsAppUIDOpEq AccessLogAccessRequestListParamsAppUIDOp = "eq"` - `const AccessLogAccessRequestListParamsAppUIDOpNeq AccessLogAccessRequestListParamsAppUIDOp = "neq"` - `CountryCodeOp param.Field[AccessLogAccessRequestListParamsCountryCodeOp]` Query param: Operator for the `country_code` filter. - `const AccessLogAccessRequestListParamsCountryCodeOpEq AccessLogAccessRequestListParamsCountryCodeOp = "eq"` - `const AccessLogAccessRequestListParamsCountryCodeOpNeq AccessLogAccessRequestListParamsCountryCodeOp = "neq"` - `Direction param.Field[AccessLogAccessRequestListParamsDirection]` Query param: The chronological sorting order for the logs. - `const AccessLogAccessRequestListParamsDirectionDesc AccessLogAccessRequestListParamsDirection = "desc"` - `const AccessLogAccessRequestListParamsDirectionAsc AccessLogAccessRequestListParamsDirection = "asc"` - `Email param.Field[string]` Query param: Filter by user email. Defaults to substring matching. To force exact matching, set `email_exact=true`. Example (default): `email=@example.com` returns all events with that domain. Example (exact): `email=user@example.com&email_exact=true` returns only that user. - `EmailExact param.Field[bool]` Query param: When true, `email` is matched exactly instead of substring matching. - `EmailOp param.Field[AccessLogAccessRequestListParamsEmailOp]` Query param: Operator for the `email` filter. - `const AccessLogAccessRequestListParamsEmailOpEq AccessLogAccessRequestListParamsEmailOp = "eq"` - `const AccessLogAccessRequestListParamsEmailOpNeq AccessLogAccessRequestListParamsEmailOp = "neq"` - `Fields param.Field[string]` Query param: Comma-separated list of fields to include in the response. When omitted, all fields are returned. - `IdPOp param.Field[AccessLogAccessRequestListParamsIdPOp]` Query param: Operator for the `idp` filter. - `const AccessLogAccessRequestListParamsIdPOpEq AccessLogAccessRequestListParamsIdPOp = "eq"` - `const AccessLogAccessRequestListParamsIdPOpNeq AccessLogAccessRequestListParamsIdPOp = "neq"` - `Limit param.Field[int64]` Query param: The maximum number of log entries to retrieve. - `NonIdentityOp param.Field[AccessLogAccessRequestListParamsNonIdentityOp]` Query param: Operator for the `non_identity` filter. - `const AccessLogAccessRequestListParamsNonIdentityOpEq AccessLogAccessRequestListParamsNonIdentityOp = "eq"` - `const AccessLogAccessRequestListParamsNonIdentityOpNeq AccessLogAccessRequestListParamsNonIdentityOp = "neq"` - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. - `RayIDOp param.Field[AccessLogAccessRequestListParamsRayIDOp]` Query param: Operator for the `ray_id` filter. - `const AccessLogAccessRequestListParamsRayIDOpEq AccessLogAccessRequestListParamsRayIDOp = "eq"` - `const AccessLogAccessRequestListParamsRayIDOpNeq AccessLogAccessRequestListParamsRayIDOp = "neq"` - `Since param.Field[Time]` Query param: The earliest event timestamp to query. - `Until param.Field[Time]` Query param: The latest event timestamp to query. - `UserID param.Field[string]` Query param: Filter by user UUID. - `UserIDOp param.Field[AccessLogAccessRequestListParamsUserIDOp]` Query param: Operator for the `user_id` filter. - `const AccessLogAccessRequestListParamsUserIDOpEq AccessLogAccessRequestListParamsUserIDOp = "eq"` - `const AccessLogAccessRequestListParamsUserIDOpNeq AccessLogAccessRequestListParamsUserIDOp = "neq"` ### Returns - `type AccessLogAccessRequestListResponseEnvelopeResult []AccessRequest` - `Action string` The event that occurred, such as a login attempt. - `Allowed bool` The result of the authentication event. - `AppDomain string` The URL of the Access application. - `AppUID string` The unique identifier for the Access application. - `Connection string` The IdP used to authenticate. - `CreatedAt Time` - `IPAddress string` The IP address of the authenticating user. - `RayID string` The unique identifier for the request to Cloudflare. - `UserEmail string` The email address of the authenticating user. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIKey("144c9defac04969c7bfad8efaa8ea194"), option.WithAPIEmail("user@example.com"), ) accessRequests, err := client.ZeroTrust.Access.Logs.AccessRequests.List(context.TODO(), zero_trust.AccessLogAccessRequestListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", accessRequests) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "login", "allowed": true, "app_domain": "test.example.com/admin", "app_uid": "df7e2w5f-02b7-4d9d-af26-8d1988fca630", "connection": "saml", "created_at": "2014-01-01T05:20:00.12345Z", "ip_address": "198.41.129.166", "ray_id": "187d944c61940c77", "user_email": "user@example.com" } ] } ``` # SCIM ## Domain Types ### Access Request - `type AccessRequest struct{…}` - `Action string` The event that occurred, such as a login attempt. - `Allowed bool` The result of the authentication event. - `AppDomain string` The URL of the Access application. - `AppUID string` The unique identifier for the Access application. - `Connection string` The IdP used to authenticate. - `CreatedAt Time` - `IPAddress string` The IP address of the authenticating user. - `RayID string` The unique identifier for the request to Cloudflare. - `UserEmail string` The email address of the authenticating user. # Updates ## List Access SCIM update logs `client.ZeroTrust.Access.Logs.SCIM.Updates.List(ctx, params) (*V4PagePaginationArray[AccessLogSCIMUpdateListResponse], error)` **get** `/accounts/{account_id}/access/logs/scim/updates` Lists Access SCIM update logs that maintain a record of updates made to User and Group resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM). ### Parameters - `params AccessLogSCIMUpdateListParams` - `AccountID param.Field[string]` Path param: Identifier. - `IdPID param.Field[[]string]` Query param: The unique Id of the IdP that has SCIM enabled. - `CfResourceID param.Field[string]` Query param: The unique Cloudflare-generated Id of the SCIM resource. - `Direction param.Field[AccessLogSCIMUpdateListParamsDirection]` Query param: The chronological order used to sort the logs. - `const AccessLogSCIMUpdateListParamsDirectionDesc AccessLogSCIMUpdateListParamsDirection = "desc"` - `const AccessLogSCIMUpdateListParamsDirectionAsc AccessLogSCIMUpdateListParamsDirection = "asc"` - `IdPResourceID param.Field[string]` Query param: The IdP-generated Id of the SCIM resource. - `Limit param.Field[int64]` Query param: The maximum number of update logs to retrieve. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. - `RequestMethod param.Field[[]AccessLogSCIMUpdateListParamsRequestMethod]` Query param: The request method of the SCIM request. - `const AccessLogSCIMUpdateListParamsRequestMethodDelete AccessLogSCIMUpdateListParamsRequestMethod = "DELETE"` - `const AccessLogSCIMUpdateListParamsRequestMethodPatch AccessLogSCIMUpdateListParamsRequestMethod = "PATCH"` - `const AccessLogSCIMUpdateListParamsRequestMethodPost AccessLogSCIMUpdateListParamsRequestMethod = "POST"` - `const AccessLogSCIMUpdateListParamsRequestMethodPut AccessLogSCIMUpdateListParamsRequestMethod = "PUT"` - `ResourceGroupName param.Field[string]` Query param: The display name of the SCIM Group resource. - `ResourceType param.Field[[]AccessLogSCIMUpdateListParamsResourceType]` Query param: The resource type of the SCIM request. - `const AccessLogSCIMUpdateListParamsResourceTypeUser AccessLogSCIMUpdateListParamsResourceType = "USER"` - `const AccessLogSCIMUpdateListParamsResourceTypeGroup AccessLogSCIMUpdateListParamsResourceType = "GROUP"` - `ResourceUserEmail param.Field[string]` Query param: The email address of the SCIM User resource. - `Since param.Field[Time]` Query param: the timestamp of the earliest update log. - `Status param.Field[[]AccessLogSCIMUpdateListParamsStatus]` Query param: The status of the SCIM request. - `const AccessLogSCIMUpdateListParamsStatusFailure AccessLogSCIMUpdateListParamsStatus = "FAILURE"` - `const AccessLogSCIMUpdateListParamsStatusSuccess AccessLogSCIMUpdateListParamsStatus = "SUCCESS"` - `Until param.Field[Time]` Query param: the timestamp of the most-recent update log. ### Returns - `type AccessLogSCIMUpdateListResponse struct{…}` - `CfResourceID string` The unique Cloudflare-generated Id of the SCIM resource. - `ErrorDescription string` The error message which is generated when the status of the SCIM request is 'FAILURE'. - `IdPID string` The unique Id of the IdP that has SCIM enabled. - `IdPResourceID string` The IdP-generated Id of the SCIM resource. - `LoggedAt Time` - `RequestBody string` The JSON-encoded string body of the SCIM request. - `RequestMethod string` The request method of the SCIM request. - `ResourceGroupName string` The display name of the SCIM Group resource if it exists. - `ResourceType string` The resource type of the SCIM request. - `ResourceUserEmail string` The email address of the SCIM User resource if it exists. - `Status string` The status of the SCIM request. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIKey("144c9defac04969c7bfad8efaa8ea194"), option.WithAPIEmail("user@example.com"), ) page, err := client.ZeroTrust.Access.Logs.SCIM.Updates.List(context.TODO(), zero_trust.AccessLogSCIMUpdateListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), IdPID: cloudflare.F([]string{"df7e2w5f-02b7-4d9d-af26-8d1988fca630", "0194ae2c-efcf-7cfb-8884-055f1a161fa5"}), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "cf_resource_id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0", "error_description": "Invalid JSON body", "idp_id": "df7e2w5f-02b7-4d9d-af26-8d1988fca630", "idp_resource_id": "all_employees", "logged_at": "2014-01-01T05:20:00.12345Z", "request_body": "{}}", "request_method": "DELETE", "resource_group_name": "ALL_EMPLOYEES", "resource_type": "GROUP", "resource_user_email": "john.smith@example.com", "status": "FAILURE" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Users ## Get users `client.ZeroTrust.Access.Users.List(ctx, params) (*V4PagePaginationArray[AccessUserListResponse], error)` **get** `/accounts/{account_id}/access/users` Gets a list of users for an account. ### Parameters - `params AccessUserListParams` - `AccountID param.Field[string]` Path param: Identifier. - `Email param.Field[string]` Query param: The email of the user. - `Name param.Field[string]` Query param: The name of the user. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. - `Search param.Field[string]` Query param: Search for users by other listed query parameters. ### Returns - `type AccessUserListResponse struct{…}` - `ID string` UUID. - `AccessSeat bool` True if the user has authenticated with Cloudflare Access. - `ActiveDeviceCount float64` The number of active devices registered to the user. - `CreatedAt Time` - `Email string` The email of the user. - `GatewaySeat bool` True if the user has logged into the WARP client. - `LastSuccessfulLogin Time` The time at which the user last successfully logged in. - `Name string` The name of the user. - `SeatUID string` The unique API identifier for the Zero Trust seat. - `UID string` The unique API identifier for the user. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Users.List(context.TODO(), zero_trust.AccessUserListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 100, "total_count": 1, "total_pages": 100 } } ``` ## Get a user `client.ZeroTrust.Access.Users.Get(ctx, userID, query) (*AccessUserGetResponse, error)` **get** `/accounts/{account_id}/access/users/{user_id}` Gets a specific user for an account. ### Parameters - `userID string` UUID. - `query AccessUserGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessUserGetResponse struct{…}` - `ID string` UUID. - `AccessSeat bool` True if the user has authenticated with Cloudflare Access. - `ActiveDeviceCount float64` The number of active devices registered to the user. - `CreatedAt Time` - `Email string` The email of the user. - `GatewaySeat bool` True if the user has logged into the WARP client. - `LastSuccessfulLogin Time` The time at which the user last successfully logged in. - `Name string` The name of the user. - `SeatUID string` The unique API identifier for the Zero Trust seat. - `UID string` The unique API identifier for the user. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) user, err := client.ZeroTrust.Access.Users.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessUserGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", user.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a user `client.ZeroTrust.Access.Users.New(ctx, params) (*AccessUserNewResponse, error)` **post** `/accounts/{account_id}/access/users` Creates a new user. ### Parameters - `params AccessUserNewParams` - `AccountID param.Field[string]` Path param: Identifier. - `Email param.Field[string]` Body param: The email of the user. - `Name param.Field[string]` Body param: The name of the user. ### Returns - `type AccessUserNewResponse struct{…}` - `ID string` UUID. - `AccessSeat bool` True if the user has authenticated with Cloudflare Access. - `ActiveDeviceCount float64` The number of active devices registered to the user. - `CreatedAt Time` - `Email string` The email of the user. - `GatewaySeat bool` True if the user has logged into the WARP client. - `LastSuccessfulLogin Time` The time at which the user last successfully logged in. - `Name string` The name of the user. - `SeatUID string` The unique API identifier for the Zero Trust seat. - `UID string` The unique API identifier for the user. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) user, err := client.ZeroTrust.Access.Users.New(context.TODO(), zero_trust.AccessUserNewParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), Email: cloudflare.F("jdoe@example.com"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", user.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a user `client.ZeroTrust.Access.Users.Update(ctx, userID, params) (*AccessUserUpdateResponse, error)` **put** `/accounts/{account_id}/access/users/{user_id}` Updates a specific user's name for an account. Requires the user's current email as confirmation (email cannot be changed). ### Parameters - `userID string` UUID. - `params AccessUserUpdateParams` - `AccountID param.Field[string]` Path param: Identifier. - `Email param.Field[string]` Body param: The email of the user. - `Name param.Field[string]` Body param: The name of the user. ### Returns - `type AccessUserUpdateResponse struct{…}` - `ID string` UUID. - `AccessSeat bool` True if the user has authenticated with Cloudflare Access. - `ActiveDeviceCount float64` The number of active devices registered to the user. - `CreatedAt Time` - `Email string` The email of the user. - `GatewaySeat bool` True if the user has logged into the WARP client. - `LastSuccessfulLogin Time` The time at which the user last successfully logged in. - `Name string` The name of the user. - `SeatUID string` The unique API identifier for the Zero Trust seat. - `UID string` The unique API identifier for the user. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) user, err := client.ZeroTrust.Access.Users.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessUserUpdateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), Email: cloudflare.F("jdoe@example.com"), Name: cloudflare.F("Jane Doe"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", user.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a user `client.ZeroTrust.Access.Users.Delete(ctx, userID, body) (*AccessUserDeleteResponse, error)` **delete** `/accounts/{account_id}/access/users/{user_id}` Deletes a specific user for an account. This will also revoke any active seats and tokens for the user. ### Parameters - `userID string` UUID. - `body AccessUserDeleteParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessUserDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) user, err := client.ZeroTrust.Access.Users.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessUserDeleteParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", user) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Access User - `type AccessUser struct{…}` - `ID string` The unique Cloudflare-generated Id of the SCIM resource. - `Active bool` Determines the status of the SCIM User resource. - `DisplayName string` The name of the SCIM User resource. - `Emails []AccessUserEmail` - `Primary bool` Indicates if the email address is the primary email belonging to the SCIM User resource. - `Type string` Indicates the type of the email address. - `Value string` The email address of the SCIM User resource. - `ExternalID string` The IdP-generated Id of the SCIM resource. - `Meta AccessUserMeta` The metadata of the SCIM resource. - `Created Time` The timestamp of when the SCIM resource was created. - `LastModified Time` The timestamp of when the SCIM resource was last modified. - `Schemas []string` The list of URIs which indicate the attributes contained within a SCIM resource. # Active Sessions ## Get active sessions `client.ZeroTrust.Access.Users.ActiveSessions.List(ctx, userID, query) (*SinglePage[AccessUserActiveSessionListResponse], error)` **get** `/accounts/{account_id}/access/users/{user_id}/active_sessions` Get active sessions for a single user. ### Parameters - `userID string` UUID. - `query AccessUserActiveSessionListParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessUserActiveSessionListResponse struct{…}` - `Expiration int64` - `Metadata AccessUserActiveSessionListResponseMetadata` - `Apps map[string, AccessUserActiveSessionListResponseMetadataApp]` - `Hostname string` - `Name string` - `Type string` - `UID string` - `Expires int64` - `Iat int64` - `Nonce string` - `TTL int64` - `Name string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Users.ActiveSessions.List( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessUserActiveSessionListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "expiration": 1694813506, "metadata": { "apps": { "foo": { "hostname": "test.example.com", "name": "app name", "type": "self_hosted", "uid": "cc2a8145-0128-4429-87f3-872c4d380c4e" } }, "expires": 1694813506, "iat": 1694791905, "nonce": "X1aXj1lFVcqqyoXF", "ttl": 21600 }, "name": "name" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get single active session `client.ZeroTrust.Access.Users.ActiveSessions.Get(ctx, userID, nonce, query) (*AccessUserActiveSessionGetResponse, error)` **get** `/accounts/{account_id}/access/users/{user_id}/active_sessions/{nonce}` Get an active session for a single user. ### Parameters - `userID string` UUID. - `nonce string` - `query AccessUserActiveSessionGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessUserActiveSessionGetResponse struct{…}` - `AccountID string` - `AuthStatus string` - `CommonName string` - `DeviceID string` - `DeviceSessions map[string, AccessUserActiveSessionGetResponseDeviceSession]` - `LastAuthenticated float64` - `DevicePosture map[string, AccessUserActiveSessionGetResponseDevicePosture]` - `ID string` - `Check AccessUserActiveSessionGetResponseDevicePostureCheck` - `Exists bool` - `Path string` - `Data unknown` - `Description string` - `Error string` - `RuleName string` - `Success bool` - `Timestamp string` - `Type string` - `Email string` - `Geo UserPolicyCheckGeo` - `Country string` - `Iat float64` - `IdP AccessUserActiveSessionGetResponseIdP` - `ID string` - `Type string` - `IP string` - `IsGateway bool` - `IsWARP bool` - `IsActive bool` - `MTLSAuth AccessUserActiveSessionGetResponseMTLSAuth` - `AuthStatus string` - `CERTIssuerDn string` - `CERTIssuerSki string` - `CERTPresented bool` - `CERTSerial string` - `ServiceTokenID string` - `ServiceTokenStatus bool` - `UserUUID string` - `Version float64` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) activeSession, err := client.ZeroTrust.Access.Users.ActiveSessions.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "X1aXj1lFVcqqyoXF", zero_trust.AccessUserActiveSessionGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", activeSession.AccountID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "1234567890", "auth_status": "NONE", "common_name": "", "device_id": "", "device_sessions": { "foo": { "last_authenticated": 1638832687 } }, "devicePosture": { "foo": { "id": "id", "check": { "exists": true, "path": "path" }, "data": {}, "description": "description", "error": "error", "rule_name": "rule_name", "success": true, "timestamp": "timestamp", "type": "type" } }, "email": "test@cloudflare.com", "geo": { "country": "US" }, "iat": 1694791905, "idp": { "id": "id", "type": "type" }, "ip": "127.0.0.0", "is_gateway": false, "is_warp": false, "isActive": true, "mtls_auth": { "auth_status": "auth_status", "cert_issuer_dn": "cert_issuer_dn", "cert_issuer_ski": "cert_issuer_ski", "cert_presented": true, "cert_serial": "cert_serial" }, "service_token_id": "", "service_token_status": false, "user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4", "version": 2 } } ``` # Last Seen Identity ## Get last seen identity `client.ZeroTrust.Access.Users.LastSeenIdentity.Get(ctx, userID, query) (*Identity, error)` **get** `/accounts/{account_id}/access/users/{user_id}/last_seen_identity` Get last seen identity for a single user. ### Parameters - `userID string` UUID. - `query AccessUserLastSeenIdentityGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type Identity struct{…}` - `AccountID string` - `AuthStatus string` - `CommonName string` - `DeviceID string` - `DeviceSessions map[string, IdentityDeviceSession]` - `LastAuthenticated float64` - `DevicePosture map[string, IdentityDevicePosture]` - `ID string` - `Check IdentityDevicePostureCheck` - `Exists bool` - `Path string` - `Data unknown` - `Description string` - `Error string` - `RuleName string` - `Success bool` - `Timestamp string` - `Type string` - `Email string` - `Geo UserPolicyCheckGeo` - `Country string` - `Iat float64` - `IdP IdentityIdP` - `ID string` - `Type string` - `IP string` - `IsGateway bool` - `IsWARP bool` - `MTLSAuth IdentityMTLSAuth` - `AuthStatus string` - `CERTIssuerDn string` - `CERTIssuerSki string` - `CERTPresented bool` - `CERTSerial string` - `ServiceTokenID string` - `ServiceTokenStatus bool` - `UserUUID string` - `Version float64` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) identity, err := client.ZeroTrust.Access.Users.LastSeenIdentity.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessUserLastSeenIdentityGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", identity.AccountID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "1234567890", "auth_status": "NONE", "common_name": "", "device_id": "", "device_sessions": { "foo": { "last_authenticated": 1638832687 } }, "devicePosture": { "foo": { "id": "id", "check": { "exists": true, "path": "path" }, "data": {}, "description": "description", "error": "error", "rule_name": "rule_name", "success": true, "timestamp": "timestamp", "type": "type" } }, "email": "test@cloudflare.com", "geo": { "country": "US" }, "iat": 1694791905, "idp": { "id": "id", "type": "type" }, "ip": "127.0.0.0", "is_gateway": false, "is_warp": false, "mtls_auth": { "auth_status": "auth_status", "cert_issuer_dn": "cert_issuer_dn", "cert_issuer_ski": "cert_issuer_ski", "cert_presented": true, "cert_serial": "cert_serial" }, "service_token_id": "", "service_token_status": false, "user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4", "version": 2 } } ``` ## Domain Types ### Identity - `type Identity struct{…}` - `AccountID string` - `AuthStatus string` - `CommonName string` - `DeviceID string` - `DeviceSessions map[string, IdentityDeviceSession]` - `LastAuthenticated float64` - `DevicePosture map[string, IdentityDevicePosture]` - `ID string` - `Check IdentityDevicePostureCheck` - `Exists bool` - `Path string` - `Data unknown` - `Description string` - `Error string` - `RuleName string` - `Success bool` - `Timestamp string` - `Type string` - `Email string` - `Geo UserPolicyCheckGeo` - `Country string` - `Iat float64` - `IdP IdentityIdP` - `ID string` - `Type string` - `IP string` - `IsGateway bool` - `IsWARP bool` - `MTLSAuth IdentityMTLSAuth` - `AuthStatus string` - `CERTIssuerDn string` - `CERTIssuerSki string` - `CERTPresented bool` - `CERTSerial string` - `ServiceTokenID string` - `ServiceTokenStatus bool` - `UserUUID string` - `Version float64` # Failed Logins ## Get failed logins `client.ZeroTrust.Access.Users.FailedLogins.List(ctx, userID, query) (*SinglePage[AccessUserFailedLoginListResponse], error)` **get** `/accounts/{account_id}/access/users/{user_id}/failed_logins` Get all failed login attempts for a single user. ### Parameters - `userID string` UUID. - `query AccessUserFailedLoginListParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessUserFailedLoginListResponse struct{…}` - `Expiration int64` - `Metadata unknown` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Users.FailedLogins.List( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessUserFailedLoginListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "expiration": 0, "metadata": { "app_name": "Test App", "aud": "39691c1480a2352a18ece567debc2b32552686cbd38eec0887aa18d5d3f00c04", "datetime": "2022-02-02T21:54:34.914Z", "ray_id": "6d76a8a42ead4133", "user_email": "test@cloudflare.com", "user_uuid": "57171132-e453-4ee8-b2a5-8cbaad333207" } } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Custom Pages ## List custom pages `client.ZeroTrust.Access.CustomPages.List(ctx, params) (*V4PagePaginationArray[CustomPageWithoutHTML], error)` **get** `/accounts/{account_id}/access/custom_pages` List custom pages ### Parameters - `params AccessCustomPageListParams` - `AccountID param.Field[string]` Path param: Identifier. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. ### Returns - `type CustomPageWithoutHTML struct{…}` - `Name string` Custom page name. - `Type CustomPageWithoutHTMLType` Custom page type. - `const CustomPageWithoutHTMLTypeIdentityDenied CustomPageWithoutHTMLType = "identity_denied"` - `const CustomPageWithoutHTMLTypeForbidden CustomPageWithoutHTMLType = "forbidden"` - `UID string` UUID. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.CustomPages.List(context.TODO(), zero_trust.AccessCustomPageListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a custom page `client.ZeroTrust.Access.CustomPages.Get(ctx, customPageID, query) (*CustomPage, error)` **get** `/accounts/{account_id}/access/custom_pages/{custom_page_id}` Fetches a custom page and also returns its HTML. ### Parameters - `customPageID string` UUID. - `query AccessCustomPageGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type CustomPage struct{…}` - `CustomHTML string` Custom page HTML. - `Name string` Custom page name. - `Type CustomPageType` Custom page type. - `const CustomPageTypeIdentityDenied CustomPageType = "identity_denied"` - `const CustomPageTypeForbidden CustomPageType = "forbidden"` - `UID string` UUID. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) customPage, err := client.ZeroTrust.Access.CustomPages.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessCustomPageGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", customPage.UID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "custom_html": "

Access Denied

", "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a custom page `client.ZeroTrust.Access.CustomPages.New(ctx, params) (*CustomPageWithoutHTML, error)` **post** `/accounts/{account_id}/access/custom_pages` Create a custom page ### Parameters - `params AccessCustomPageNewParams` - `AccountID param.Field[string]` Path param: Identifier. - `CustomPage param.Field[CustomPage]` Body param ### Returns - `type CustomPageWithoutHTML struct{…}` - `Name string` Custom page name. - `Type CustomPageWithoutHTMLType` Custom page type. - `const CustomPageWithoutHTMLTypeIdentityDenied CustomPageWithoutHTMLType = "identity_denied"` - `const CustomPageWithoutHTMLTypeForbidden CustomPageWithoutHTMLType = "forbidden"` - `UID string` UUID. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) customPageWithoutHTML, err := client.ZeroTrust.Access.CustomPages.New(context.TODO(), zero_trust.AccessCustomPageNewParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), CustomPage: zero_trust.CustomPageParam{ CustomHTML: cloudflare.F("

Access Denied

"), Name: cloudflare.F("name"), Type: cloudflare.F(zero_trust.CustomPageTypeIdentityDenied), }, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", customPageWithoutHTML.UID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a custom page `client.ZeroTrust.Access.CustomPages.Update(ctx, customPageID, params) (*CustomPageWithoutHTML, error)` **put** `/accounts/{account_id}/access/custom_pages/{custom_page_id}` Update a custom page ### Parameters - `customPageID string` UUID. - `params AccessCustomPageUpdateParams` - `AccountID param.Field[string]` Path param: Identifier. - `CustomPage param.Field[CustomPage]` Body param ### Returns - `type CustomPageWithoutHTML struct{…}` - `Name string` Custom page name. - `Type CustomPageWithoutHTMLType` Custom page type. - `const CustomPageWithoutHTMLTypeIdentityDenied CustomPageWithoutHTMLType = "identity_denied"` - `const CustomPageWithoutHTMLTypeForbidden CustomPageWithoutHTMLType = "forbidden"` - `UID string` UUID. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) customPageWithoutHTML, err := client.ZeroTrust.Access.CustomPages.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessCustomPageUpdateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), CustomPage: zero_trust.CustomPageParam{ CustomHTML: cloudflare.F("

Access Denied

"), Name: cloudflare.F("name"), Type: cloudflare.F(zero_trust.CustomPageTypeIdentityDenied), }, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", customPageWithoutHTML.UID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a custom page `client.ZeroTrust.Access.CustomPages.Delete(ctx, customPageID, body) (*AccessCustomPageDeleteResponse, error)` **delete** `/accounts/{account_id}/access/custom_pages/{custom_page_id}` Delete a custom page ### Parameters - `customPageID string` UUID. - `body AccessCustomPageDeleteParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessCustomPageDeleteResponse struct{…}` - `ID string` UUID. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) customPage, err := client.ZeroTrust.Access.CustomPages.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessCustomPageDeleteParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", customPage.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Custom Page - `type CustomPage struct{…}` - `CustomHTML string` Custom page HTML. - `Name string` Custom page name. - `Type CustomPageType` Custom page type. - `const CustomPageTypeIdentityDenied CustomPageType = "identity_denied"` - `const CustomPageTypeForbidden CustomPageType = "forbidden"` - `UID string` UUID. ### Custom Page Without HTML - `type CustomPageWithoutHTML struct{…}` - `Name string` Custom page name. - `Type CustomPageWithoutHTMLType` Custom page type. - `const CustomPageWithoutHTMLTypeIdentityDenied CustomPageWithoutHTMLType = "identity_denied"` - `const CustomPageWithoutHTMLTypeForbidden CustomPageWithoutHTMLType = "forbidden"` - `UID string` UUID. # Tags ## List tags `client.ZeroTrust.Access.Tags.List(ctx, params) (*V4PagePaginationArray[Tag], error)` **get** `/accounts/{account_id}/access/tags` List tags ### Parameters - `params AccessTagListParams` - `AccountID param.Field[string]` Path param: Identifier. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. ### Returns - `type Tag struct{…}` A tag - `Name string` The name of the tag ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Tags.List(context.TODO(), zero_trust.AccessTagListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a tag `client.ZeroTrust.Access.Tags.Get(ctx, tagName, query) (*Tag, error)` **get** `/accounts/{account_id}/access/tags/{tag_name}` Get a tag ### Parameters - `tagName string` The name of the tag - `query AccessTagGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type Tag struct{…}` A tag - `Name string` The name of the tag ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) tag, err := client.ZeroTrust.Access.Tags.Get( context.TODO(), "engineers", zero_trust.AccessTagGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", tag.Name) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a tag `client.ZeroTrust.Access.Tags.New(ctx, params) (*Tag, error)` **post** `/accounts/{account_id}/access/tags` Create a tag ### Parameters - `params AccessTagNewParams` - `AccountID param.Field[string]` Path param: Identifier. - `Name param.Field[string]` Body param: The name of the tag ### Returns - `type Tag struct{…}` A tag - `Name string` The name of the tag ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) tag, err := client.ZeroTrust.Access.Tags.New(context.TODO(), zero_trust.AccessTagNewParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", tag.Name) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a tag `client.ZeroTrust.Access.Tags.Update(ctx, tagName, params) (*Tag, error)` **put** `/accounts/{account_id}/access/tags/{tag_name}` Update a tag ### Parameters - `tagName string` The name of the tag - `params AccessTagUpdateParams` - `AccountID param.Field[string]` Path param: Identifier. - `Name param.Field[string]` Body param: The name of the tag ### Returns - `type Tag struct{…}` A tag - `Name string` The name of the tag ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) tag, err := client.ZeroTrust.Access.Tags.Update( context.TODO(), "engineers", zero_trust.AccessTagUpdateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), Name: cloudflare.F("engineers"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", tag.Name) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a tag `client.ZeroTrust.Access.Tags.Delete(ctx, tagName, body) (*AccessTagDeleteResponse, error)` **delete** `/accounts/{account_id}/access/tags/{tag_name}` Delete a tag ### Parameters - `tagName string` The name of the tag - `body AccessTagDeleteParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessTagDeleteResponse struct{…}` - `Name string` The name of the tag ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) tag, err := client.ZeroTrust.Access.Tags.Delete( context.TODO(), "engineers", zero_trust.AccessTagDeleteParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", tag.Name) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers" } } ``` ## Domain Types ### Tag - `type Tag struct{…}` A tag - `Name string` The name of the tag # Policies ## List Access reusable policies `client.ZeroTrust.Access.Policies.List(ctx, params) (*V4PagePaginationArray[AccessPolicyListResponse], error)` **get** `/accounts/{account_id}/access/policies` Lists Access reusable policies. ### Parameters - `params AccessPolicyListParams` - `AccountID param.Field[string]` Path param: Identifier. - `Page param.Field[int64]` Query param: Page number of results. - `PerPage param.Field[int64]` Query param: Number of results per page. ### Returns - `type AccessPolicyListResponse struct{…}` - `ID string` The UUID of the policy - `AppCount int64` Number of access applications currently using this policy. - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessPolicyListResponseConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessPolicyListResponseConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessPolicyListResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessPolicyListResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessPolicyListResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessPolicyListResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessPolicyListResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessPolicyListResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessPolicyListResponseMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessPolicyListResponseMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessPolicyListResponseMfaConfigAllowedAuthenticatorTotp AccessPolicyListResponseMfaConfigAllowedAuthenticator = "totp"` - `const AccessPolicyListResponseMfaConfigAllowedAuthenticatorBiometrics AccessPolicyListResponseMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessPolicyListResponseMfaConfigAllowedAuthenticatorSecurityKey AccessPolicyListResponseMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Reusable AccessPolicyListResponseReusable` - `const AccessPolicyListResponseReusableTrue AccessPolicyListResponseReusable = true` - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Access.Policies.List(context.TODO(), zero_trust.AccessPolicyListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access reusable policy `client.ZeroTrust.Access.Policies.Get(ctx, policyID, query) (*AccessPolicyGetResponse, error)` **get** `/accounts/{account_id}/access/policies/{policy_id}` Fetches a single Access reusable policy. ### Parameters - `policyID string` The UUID of the policy - `query AccessPolicyGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessPolicyGetResponse struct{…}` - `ID string` The UUID of the policy - `AppCount int64` Number of access applications currently using this policy. - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessPolicyGetResponseConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessPolicyGetResponseConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessPolicyGetResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessPolicyGetResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessPolicyGetResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessPolicyGetResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessPolicyGetResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessPolicyGetResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessPolicyGetResponseMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessPolicyGetResponseMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessPolicyGetResponseMfaConfigAllowedAuthenticatorTotp AccessPolicyGetResponseMfaConfigAllowedAuthenticator = "totp"` - `const AccessPolicyGetResponseMfaConfigAllowedAuthenticatorBiometrics AccessPolicyGetResponseMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessPolicyGetResponseMfaConfigAllowedAuthenticatorSecurityKey AccessPolicyGetResponseMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Reusable AccessPolicyGetResponseReusable` - `const AccessPolicyGetResponseReusableTrue AccessPolicyGetResponseReusable = true` - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) policy, err := client.ZeroTrust.Access.Policies.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessPolicyGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", policy.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create an Access reusable policy `client.ZeroTrust.Access.Policies.New(ctx, params) (*AccessPolicyNewResponse, error)` **post** `/accounts/{account_id}/access/policies` Creates a new Access reusable policy. ### Parameters - `params AccessPolicyNewParams` - `AccountID param.Field[string]` Path param: Identifier. - `Decision param.Field[Decision]` Body param: The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Include param.Field[[]AccessRule]` Body param: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Name param.Field[string]` Body param: The name of the Access policy. - `ApprovalGroups param.Field[[]ApprovalGroup]` Body param: Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired param.Field[bool]` Body param: Requires the user to request access from an administrator at the start of each session. - `ConnectionRules param.Field[AccessPolicyNewParamsConnectionRules]` Body param: The rules that define how users may connect to targets secured by your application. - `RDP AccessPolicyNewParamsConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `Exclude param.Field[[]AccessRule]` Body param: Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired param.Field[bool]` Body param: Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig param.Field[AccessPolicyNewParamsMfaConfig]` Body param: Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessPolicyNewParamsMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessPolicyNewParamsMfaConfigAllowedAuthenticatorTotp AccessPolicyNewParamsMfaConfigAllowedAuthenticator = "totp"` - `const AccessPolicyNewParamsMfaConfigAllowedAuthenticatorBiometrics AccessPolicyNewParamsMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessPolicyNewParamsMfaConfigAllowedAuthenticatorSecurityKey AccessPolicyNewParamsMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `PurposeJustificationPrompt param.Field[string]` Body param: A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired param.Field[bool]` Body param: Require users to enter a justification when they log in to the application. - `Require param.Field[[]AccessRule]` Body param: Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration param.Field[string]` Body param: The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `type AccessPolicyNewResponse struct{…}` - `ID string` The UUID of the policy - `AppCount int64` Number of access applications currently using this policy. - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessPolicyNewResponseConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessPolicyNewResponseConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessPolicyNewResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessPolicyNewResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessPolicyNewResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessPolicyNewResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessPolicyNewResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessPolicyNewResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessPolicyNewResponseMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessPolicyNewResponseMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessPolicyNewResponseMfaConfigAllowedAuthenticatorTotp AccessPolicyNewResponseMfaConfigAllowedAuthenticator = "totp"` - `const AccessPolicyNewResponseMfaConfigAllowedAuthenticatorBiometrics AccessPolicyNewResponseMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessPolicyNewResponseMfaConfigAllowedAuthenticatorSecurityKey AccessPolicyNewResponseMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Reusable AccessPolicyNewResponseReusable` - `const AccessPolicyNewResponseReusableTrue AccessPolicyNewResponseReusable = true` - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) policy, err := client.ZeroTrust.Access.Policies.New(context.TODO(), zero_trust.AccessPolicyNewParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), Decision: cloudflare.F(zero_trust.DecisionAllow), Include: cloudflare.F([]zero_trust.AccessRuleUnionParam{zero_trust.GroupRuleParam{ Group: cloudflare.F(zero_trust.GroupRuleGroupParam{ ID: cloudflare.F("aa0a4aab-672b-4bdb-bc33-a59f1130a11f"), }), }}), Name: cloudflare.F("Allow devs"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", policy.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an Access reusable policy `client.ZeroTrust.Access.Policies.Update(ctx, policyID, params) (*AccessPolicyUpdateResponse, error)` **put** `/accounts/{account_id}/access/policies/{policy_id}` Updates a Access reusable policy. ### Parameters - `policyID string` The UUID of the policy - `params AccessPolicyUpdateParams` - `AccountID param.Field[string]` Path param: Identifier. - `Decision param.Field[Decision]` Body param: The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `Include param.Field[[]AccessRule]` Body param: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Name param.Field[string]` Body param: The name of the Access policy. - `ApprovalGroups param.Field[[]ApprovalGroup]` Body param: Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired param.Field[bool]` Body param: Requires the user to request access from an administrator at the start of each session. - `ConnectionRules param.Field[AccessPolicyUpdateParamsConnectionRules]` Body param: The rules that define how users may connect to targets secured by your application. - `RDP AccessPolicyUpdateParamsConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessPolicyUpdateParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessPolicyUpdateParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessPolicyUpdateParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessPolicyUpdateParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessPolicyUpdateParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessPolicyUpdateParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `Exclude param.Field[[]AccessRule]` Body param: Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired param.Field[bool]` Body param: Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig param.Field[AccessPolicyUpdateParamsMfaConfig]` Body param: Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessPolicyUpdateParamsMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessPolicyUpdateParamsMfaConfigAllowedAuthenticatorTotp AccessPolicyUpdateParamsMfaConfigAllowedAuthenticator = "totp"` - `const AccessPolicyUpdateParamsMfaConfigAllowedAuthenticatorBiometrics AccessPolicyUpdateParamsMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessPolicyUpdateParamsMfaConfigAllowedAuthenticatorSecurityKey AccessPolicyUpdateParamsMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `PurposeJustificationPrompt param.Field[string]` Body param: A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired param.Field[bool]` Body param: Require users to enter a justification when they log in to the application. - `Require param.Field[[]AccessRule]` Body param: Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `SessionDuration param.Field[string]` Body param: The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `type AccessPolicyUpdateResponse struct{…}` - `ID string` The UUID of the policy - `AppCount int64` Number of access applications currently using this policy. - `ApprovalGroups []ApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `ConnectionRules AccessPolicyUpdateResponseConnectionRules` The rules that define how users may connect to targets secured by your application. - `RDP AccessPolicyUpdateResponseConnectionRulesRDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `AllowedClipboardLocalToRemoteFormats []AccessPolicyUpdateResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat` Clipboard formats allowed when copying from local machine to remote RDP session. - `const AccessPolicyUpdateResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessPolicyUpdateResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"` - `AllowedClipboardRemoteToLocalFormats []AccessPolicyUpdateResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat` Clipboard formats allowed when copying from remote RDP session to local machine. - `const AccessPolicyUpdateResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessPolicyUpdateResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"` - `CreatedAt Time` - `Decision Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `const DecisionAllow Decision = "allow"` - `const DecisionDeny Decision = "deny"` - `const DecisionNonIdentity Decision = "non_identity"` - `const DecisionBypass Decision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `MfaConfig AccessPolicyUpdateResponseMfaConfig` Configures multi-factor authentication (MFA) settings. - `AllowedAuthenticators []AccessPolicyUpdateResponseMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const AccessPolicyUpdateResponseMfaConfigAllowedAuthenticatorTotp AccessPolicyUpdateResponseMfaConfigAllowedAuthenticator = "totp"` - `const AccessPolicyUpdateResponseMfaConfigAllowedAuthenticatorBiometrics AccessPolicyUpdateResponseMfaConfigAllowedAuthenticator = "biometrics"` - `const AccessPolicyUpdateResponseMfaConfigAllowedAuthenticatorSecurityKey AccessPolicyUpdateResponseMfaConfigAllowedAuthenticator = "security_key"` - `MfaDisabled bool` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `Name string` The name of the Access policy. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `Reusable AccessPolicyUpdateResponseReusable` - `const AccessPolicyUpdateResponseReusableTrue AccessPolicyUpdateResponseReusable = true` - `SessionDuration string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) policy, err := client.ZeroTrust.Access.Policies.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessPolicyUpdateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), Decision: cloudflare.F(zero_trust.DecisionAllow), Include: cloudflare.F([]zero_trust.AccessRuleUnionParam{zero_trust.GroupRuleParam{ Group: cloudflare.F(zero_trust.GroupRuleGroupParam{ ID: cloudflare.F("aa0a4aab-672b-4bdb-bc33-a59f1130a11f"), }), }}), Name: cloudflare.F("Allow devs"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", policy.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an Access reusable policy `client.ZeroTrust.Access.Policies.Delete(ctx, policyID, body) (*AccessPolicyDeleteResponse, error)` **delete** `/accounts/{account_id}/access/policies/{policy_id}` Deletes an Access reusable policy. ### Parameters - `policyID string` The UUID of the policy - `body AccessPolicyDeleteParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type AccessPolicyDeleteResponse struct{…}` - `ID string` The UUID of the policy ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) policy, err := client.ZeroTrust.Access.Policies.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.AccessPolicyDeleteParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", policy.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Approval Group - `type ApprovalGroup struct{…}` A group of email addresses that can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []string` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. ### Policy - `type Policy struct{…}` - `ID string` UUID. - `ApprovalGroups []PolicyApprovalGroup` Administrators who can approve a temporary authentication request. - `ApprovalsNeeded float64` The number of approvals needed to obtain access. - `EmailAddresses []unknown` A list of emails that can approve the access request. - `EmailListUUID string` The UUID of an re-usable email list. - `ApprovalRequired bool` Requires the user to request access from an administrator at the start of each session. - `CreatedAt Time` - `Decision PolicyDecision` The action Access will take if a user matches this policy. - `const PolicyDecisionAllow PolicyDecision = "allow"` - `const PolicyDecisionDeny PolicyDecision = "deny"` - `const PolicyDecisionNonIdentity PolicyDecision = "non_identity"` - `const PolicyDecisionBypass PolicyDecision = "bypass"` - `Exclude []AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `type GroupRule struct{…}` Matches an Access group. - `Group GroupRuleGroup` - `ID string` The ID of a previously created Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken` An empty object which matches on all service tokens. - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthContext AccessRuleAccessAuthContextRuleAuthContext` - `ID string` The ID of an Authentication context. - `AcID string` The ACID of an Authentication context. - `IdentityProviderID string` The ID of your Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `AuthMethod AuthenticationMethodRuleAuthMethod` - `AuthMethod string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `AzureAD AzureGroupRuleAzureAD` - `ID string` The ID of an Azure group. - `IdentityProviderID string` The ID of your Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `Certificate CertificateRuleCertificate` - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `CommonName AccessRuleAccessCommonNameRuleCommonName` - `CommonName string` The common name to match. - `type CountryRule struct{…}` Matches a specific country - `Geo CountryRuleGeo` - `CountryCode string` The country code that should be matched. - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `DevicePosture AccessDevicePostureRuleDevicePosture` - `IntegrationUID string` The ID of a device posture integration. - `type DomainRule struct{…}` Match an entire email domain. - `EmailDomain DomainRuleEmailDomain` - `Domain string` The email domain to match. - `type EmailListRule struct{…}` Matches an email address from a list. - `EmailList EmailListRuleEmailList` - `ID string` The ID of a previously created email list. - `type EmailRule struct{…}` Matches a specific email. - `Email EmailRuleEmail` - `Email string` The email of the user. - `type EveryoneRule struct{…}` Matches everyone. - `Everyone EveryoneRuleEveryone` An empty object which matches on all users. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation` - `EvaluateURL string` The API endpoint containing your business logic. - `KeysURL string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `GitHubOrganization GitHubOrganizationRuleGitHubOrganization` - `IdentityProviderID string` The ID of your Github identity provider. - `Name string` The name of the organization. - `Team string` The name of the team - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `GSuite GSuiteGroupRuleGSuite` - `Email string` The email of the Google Workspace group. - `IdentityProviderID string` The ID of your Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod` - `ID string` The ID of an identity provider. - `type IPListRule struct{…}` Matches an IP address from a list. - `IPList IPListRuleIPList` - `ID string` The ID of a previously created IP list. - `type IPRule struct{…}` Matches an IP address block. - `IP IPRuleIP` - `IP string` An IPv4 or IPv6 CIDR block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `Okta OktaGroupRuleOkta` - `IdentityProviderID string` The ID of your Okta identity provider. - `Name string` The name of the Okta group. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `SAML SAMLGroupRuleSAML` - `AttributeName string` The name of the SAML attribute. - `AttributeValue string` The SAML attribute value to look for. - `IdentityProviderID string` The ID of your SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `OIDC AccessRuleAccessOIDCClaimRuleOIDC` - `ClaimName string` The name of the OIDC claim. - `ClaimValue string` The OIDC claim value to look for. - `IdentityProviderID string` The ID of your OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `ServiceToken ServiceTokenRuleServiceToken` - `TokenID string` The ID of a Service Token. - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken` - `AppUID string` The ID of an Access OIDC SaaS application - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore` - `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"` - `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"` - `Include []AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `IsolationRequired bool` Require this application to be served in an isolated browser for users matching this policy. - `Name string` The name of the Access policy. - `Precedence int64` The order of execution for this policy. Must be unique for each policy. - `PurposeJustificationPrompt string` A custom message that will appear on the purpose justification screen. - `PurposeJustificationRequired bool` Require users to enter a justification when they log in to the application. - `Require []AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `type GroupRule struct{…}` Matches an Access group. - `type AnyValidServiceTokenRule struct{…}` Matches any valid Access Service Token - `type AccessRuleAccessAuthContextRule struct{…}` Matches an Azure Authentication Context. Requires an Azure identity provider. - `type AuthenticationMethodRule struct{…}` Enforce different MFA options - `type AzureGroupRule struct{…}` Matches an Azure group. Requires an Azure identity provider. - `type CertificateRule struct{…}` Matches any valid client certificate. - `type AccessRuleAccessCommonNameRule struct{…}` Matches a specific common name. - `type CountryRule struct{…}` Matches a specific country - `type AccessDevicePostureRule struct{…}` Enforces a device posture rule has run successfully - `type DomainRule struct{…}` Match an entire email domain. - `type EmailListRule struct{…}` Matches an email address from a list. - `type EmailRule struct{…}` Matches a specific email. - `type EveryoneRule struct{…}` Matches everyone. - `type ExternalEvaluationRule struct{…}` Create Allow or Block policies which evaluate the user based on custom criteria. - `type GitHubOrganizationRule struct{…}` Matches a Github organization. Requires a Github identity provider. - `type GSuiteGroupRule struct{…}` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `type AccessRuleAccessLoginMethodRule struct{…}` Matches a specific identity provider id. - `type IPListRule struct{…}` Matches an IP address from a list. - `type IPRule struct{…}` Matches an IP address block. - `type OktaGroupRule struct{…}` Matches an Okta group. Requires an Okta identity provider. - `type SAMLGroupRule struct{…}` Matches a SAML group. Requires a SAML identity provider. - `type AccessRuleAccessOIDCClaimRule struct{…}` Matches an OIDC claim. Requires an OIDC identity provider. - `type ServiceTokenRule struct{…}` Matches a specific Access Service Token - `type AccessRuleAccessLinkedAppTokenRule struct{…}` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `type AccessRuleAccessUserRiskScoreRule struct{…}` Matches a user's risk score. - `UpdatedAt Time` # DEX ## Domain Types ### Digital Experience Monitor - `type DigitalExperienceMonitor struct{…}` - `ID string` API Resource UUID tag. - `Default bool` Whether the policy is the default for the account - `Name string` ### Network Path - `type NetworkPath struct{…}` - `Slots []NetworkPathSlot` - `ID string` API Resource UUID tag. - `ClientToAppRTTMs int64` Round trip time in ms of the client to app mile - `ClientToCfEgressRTTMs int64` Round trip time in ms of the client to Cloudflare egress mile - `ClientToCfIngressRTTMs int64` Round trip time in ms of the client to Cloudflare ingress mile - `Timestamp string` - `ClientToISPRTTMs int64` Round trip time in ms of the client to ISP mile - `Sampling NetworkPathSampling` Specifies the sampling applied, if any, to the slots response. When sampled, results shown represent the first test run to the start of each sampling interval. - `Unit NetworkPathSamplingUnit` - `const NetworkPathSamplingUnitHours NetworkPathSamplingUnit = "hours"` - `Value int64` ### Network Path Response - `type NetworkPathResponse struct{…}` - `ID string` API Resource UUID tag. - `DeviceName string` - `Interval string` The interval at which the Traceroute synthetic application test is set to run. - `Kind NetworkPathResponseKind` - `const NetworkPathResponseKindTraceroute NetworkPathResponseKind = "traceroute"` - `Name string` - `NetworkPath NetworkPath` - `Slots []NetworkPathSlot` - `ID string` API Resource UUID tag. - `ClientToAppRTTMs int64` Round trip time in ms of the client to app mile - `ClientToCfEgressRTTMs int64` Round trip time in ms of the client to Cloudflare egress mile - `ClientToCfIngressRTTMs int64` Round trip time in ms of the client to Cloudflare ingress mile - `Timestamp string` - `ClientToISPRTTMs int64` Round trip time in ms of the client to ISP mile - `Sampling NetworkPathSampling` Specifies the sampling applied, if any, to the slots response. When sampled, results shown represent the first test run to the start of each sampling interval. - `Unit NetworkPathSamplingUnit` - `const NetworkPathSamplingUnitHours NetworkPathSamplingUnit = "hours"` - `Value int64` - `URL string` The host of the Traceroute synthetic application test ### Percentiles - `type Percentiles struct{…}` - `P50 float64` p50 observed in the time period - `P90 float64` p90 observed in the time period - `P95 float64` p95 observed in the time period - `P99 float64` p99 observed in the time period # WARP Change Events ## List WARP change events. `client.ZeroTrust.DEX.WARPChangeEvents.Get(ctx, params) (*[]DexwarpChangeEventGetResponse, error)` **get** `/accounts/{account_id}/dex/warp-change-events` List WARP configuration and enablement toggle change events by device. ### Parameters - `params DEXWARPChangeEventGetParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account in the API request path - `From param.Field[string]` Query param: Start time for the query in ISO (RFC3339 - ISO 8601) format - `Page param.Field[float64]` Query param: Page number of paginated results - `PerPage param.Field[float64]` Query param: Number of items per page - `To param.Field[string]` Query param: End time for the query in ISO (RFC3339 - ISO 8601) format - `AccountName param.Field[string]` Query param: Filter events by account name. - `ConfigName param.Field[string]` Query param: Filter events by WARP configuration name changed from or to. Applicable to type='config' events only. - `SortOrder param.Field[DexwarpChangeEventGetParamsSortOrder]` Query param: Sort response by event timestamp. - `const DexwarpChangeEventGetParamsSortOrderAsc DexwarpChangeEventGetParamsSortOrder = "ASC"` - `const DexwarpChangeEventGetParamsSortOrderDesc DexwarpChangeEventGetParamsSortOrder = "DESC"` - `Toggle param.Field[DexwarpChangeEventGetParamsToggle]` Query param: Filter events by type toggle value. Applicable to type='toggle' events only. - `const DexwarpChangeEventGetParamsToggleOn DexwarpChangeEventGetParamsToggle = "on"` - `const DexwarpChangeEventGetParamsToggleOff DexwarpChangeEventGetParamsToggle = "off"` - `Type param.Field[DexwarpChangeEventGetParamsType]` Query param: Filter events by type 'config' or 'toggle' - `const DexwarpChangeEventGetParamsTypeConfig DexwarpChangeEventGetParamsType = "config"` - `const DexwarpChangeEventGetParamsTypeToggle DexwarpChangeEventGetParamsType = "toggle"` ### Returns - `type DexwarpChangeEventGetResponseEnvelopeResult []DexwarpChangeEventGetResponse` - `type DexwarpChangeEventGetResponseDigitalExperienceMonitoringWARPToggleChangeEvent struct{…}` - `AccountName string` The account name. - `AccountTag string` The public account identifier. - `DeviceID string` API Resource UUID tag. - `DeviceRegistration string` API Resource UUID tag. - `Hostname string` The hostname of the machine the event is from - `SerialNumber string` The serial number of the machine the event is from - `Timestamp string` Timestamp in ISO format - `Toggle DexwarpChangeEventGetResponseDigitalExperienceMonitoringWARPToggleChangeEventToggle` The state of the WARP toggle. - `const DexwarpChangeEventGetResponseDigitalExperienceMonitoringWARPToggleChangeEventToggleOn DexwarpChangeEventGetResponseDigitalExperienceMonitoringWARPToggleChangeEventToggle = "on"` - `const DexwarpChangeEventGetResponseDigitalExperienceMonitoringWARPToggleChangeEventToggleOff DexwarpChangeEventGetResponseDigitalExperienceMonitoringWARPToggleChangeEventToggle = "off"` - `UserEmail string` Email tied to the device - `type DexwarpChangeEventGetResponseDigitalExperienceMonitoringWARPConfigChangeEvent struct{…}` - `DeviceID string` API Resource UUID tag. - `DeviceRegistration string` API Resource UUID tag. - `From DexwarpChangeEventGetResponseDigitalExperienceMonitoringWARPConfigChangeEventFrom` - `AccountName string` The account name. - `AccountTag string` API Resource UUID tag. - `ConfigName string` The name of the WARP configuration. - `Hostname string` The hostname of the machine the event is from - `SerialNumber string` The serial number of the machine the event is from - `Timestamp string` Timestamp in ISO format - `To DexwarpChangeEventGetResponseDigitalExperienceMonitoringWARPConfigChangeEventTo` - `AccountName string` The account name. - `AccountTag string` API Resource UUID tag. - `ConfigName string` The name of the WARP configuration. - `UserEmail string` Email tied to the device ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) warpChangeEvents, err := client.ZeroTrust.DEX.WARPChangeEvents.Get(context.TODO(), zero_trust.DEXWARPChangeEventGetParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), From: cloudflare.F("2023-09-20T17:00:00Z"), Page: cloudflare.F(1.000000), PerPage: cloudflare.F(1.000000), To: cloudflare.F("2023-09-20T17:00:00Z"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", warpChangeEvents) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "account_name": "account_name", "account_tag": "account_tag", "device_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "device_registration": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "hostname": "hostname", "serial_number": "serial_number", "timestamp": "2023-10-11T00:00:00Z", "toggle": "on", "user_email": "user_email" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Commands ## List account commands `client.ZeroTrust.DEX.Commands.List(ctx, params) (*V4PagePagination[DEXCommandListResponse], error)` **get** `/accounts/{account_id}/dex/commands` Retrieves a paginated list of commands issued to devices under the specified account, optionally filtered by time range, device, or other parameters ### Parameters - `params DEXCommandListParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account in the API request path - `Page param.Field[float64]` Query param: Page number for pagination - `PerPage param.Field[float64]` Query param: Number of results per page - `CommandType param.Field[string]` Query param: Optionally filter executed commands by command type - `DeviceID param.Field[string]` Query param: Unique identifier for a device - `From param.Field[Time]` Query param: Start time for the query in ISO (RFC3339 - ISO 8601) format - `Status param.Field[DEXCommandListParamsStatus]` Query param: Optionally filter executed commands by status - `const DEXCommandListParamsStatusPendingExec DEXCommandListParamsStatus = "PENDING_EXEC"` - `const DEXCommandListParamsStatusPendingUpload DEXCommandListParamsStatus = "PENDING_UPLOAD"` - `const DEXCommandListParamsStatusSuccess DEXCommandListParamsStatus = "SUCCESS"` - `const DEXCommandListParamsStatusFailed DEXCommandListParamsStatus = "FAILED"` - `To param.Field[Time]` Query param: End time for the query in ISO (RFC3339 - ISO 8601) format - `UserEmail param.Field[string]` Query param: Email tied to the device ### Returns - `type DEXCommandListResponse struct{…}` - `Commands []DEXCommandListResponseCommand` - `ID string` - `CompletedDate Time` - `CreatedDate Time` - `DeviceID string` - `Filename string` - `RegistrationID string` Unique identifier for the device registration - `Status string` - `Type string` - `UserEmail string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DEX.Commands.List(context.TODO(), zero_trust.DEXCommandListParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), Page: cloudflare.F(1.000000), PerPage: cloudflare.F(50.000000), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "commands": [ { "id": "id", "completed_date": "2019-12-27T18:11:19.117Z", "created_date": "2019-12-27T18:11:19.117Z", "device_id": "device_id", "filename": "filename", "registration_id": "registration_id", "status": "status", "type": "type", "user_email": "user_email" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Create account commands `client.ZeroTrust.DEX.Commands.New(ctx, params) (*DEXCommandNewResponse, error)` **post** `/accounts/{account_id}/dex/commands` Initiate commands for up to 10 devices per account ### Parameters - `params DEXCommandNewParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account in the API request path - `Commands param.Field[[]DEXCommandNewParamsCommand]` Body param: List of device-level commands to execute - `CommandType DEXCommandNewParamsCommandsCommandType` Type of command to execute on the device - `const DEXCommandNewParamsCommandsCommandTypePCAP DEXCommandNewParamsCommandsCommandType = "pcap"` - `const DEXCommandNewParamsCommandsCommandTypeWARPDiag DEXCommandNewParamsCommandsCommandType = "warp-diag"` - `DeviceID string` Unique identifier for the physical device - `UserEmail string` Email tied to the device - `CommandArgs DEXCommandNewParamsCommandsCommandArgs` - `Interfaces []DEXCommandNewParamsCommandsCommandArgsInterface` List of interfaces to capture packets on - `const DEXCommandNewParamsCommandsCommandArgsInterfaceDefault DEXCommandNewParamsCommandsCommandArgsInterface = "default"` - `const DEXCommandNewParamsCommandsCommandArgsInterfaceTunnel DEXCommandNewParamsCommandsCommandArgsInterface = "tunnel"` - `MaxFileSizeMB float64` Maximum file size (in MB) for the capture file. Specifies the maximum file size of the warp-diag zip artifact that can be uploaded. If the zip artifact exceeds the specified max file size, it will NOT be uploaded - `PacketSizeBytes float64` Maximum number of bytes to save for each packet - `TestAllRoutes bool` Test an IP address from all included or excluded ranges. Tests an IP address from all included or excluded ranges. Essentially the same as running 'route get '' and collecting the results. This option may increase the time taken to collect the warp-diag - `TimeLimitMin float64` Limit on capture duration (in minutes) - `RegistrationID string` Unique identifier for the device registration. Required for multi-user devices to target the correct user session. ### Returns - `type DEXCommandNewResponse struct{…}` - `Commands []DEXCommandNewResponseCommand` List of created commands - `ID string` Unique identifier for the command - `Args map[string, string]` Command arguments - `DeviceID string` Identifier for the device associated with the command - `RegistrationID string` Unique identifier for the device registration - `Status DEXCommandNewResponseCommandsStatus` Current status of the command - `const DEXCommandNewResponseCommandsStatusPendingExec DEXCommandNewResponseCommandsStatus = "PENDING_EXEC"` - `const DEXCommandNewResponseCommandsStatusPendingUpload DEXCommandNewResponseCommandsStatus = "PENDING_UPLOAD"` - `const DEXCommandNewResponseCommandsStatusSuccess DEXCommandNewResponseCommandsStatus = "SUCCESS"` - `const DEXCommandNewResponseCommandsStatusFailed DEXCommandNewResponseCommandsStatus = "FAILED"` - `Type string` Type of the command (e.g., "pcap" or "warp-diag") ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) command, err := client.ZeroTrust.DEX.Commands.New(context.TODO(), zero_trust.DEXCommandNewParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), Commands: cloudflare.F([]zero_trust.DEXCommandNewParamsCommand{zero_trust.DEXCommandNewParamsCommand{ CommandType: cloudflare.F(zero_trust.DEXCommandNewParamsCommandsCommandTypePCAP), DeviceID: cloudflare.F("device_id"), UserEmail: cloudflare.F("user_email"), }}), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", command.Commands) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "commands": [ { "id": "id", "args": { "foo": "string" }, "device_id": "device_id", "registration_id": "registration_id", "status": "PENDING_EXEC", "type": "type" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Devices ## List devices eligible for remote captures `client.ZeroTrust.DEX.Commands.Devices.List(ctx, params) (*V4PagePagination[DEXCommandDeviceListResponse], error)` **get** `/accounts/{account_id}/dex/commands/devices` List devices with WARP client support for remote captures which have been connected in the last 1 hour. ### Parameters - `params DEXCommandDeviceListParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account in the API request path - `Page param.Field[float64]` Query param: Page number of paginated results - `PerPage param.Field[float64]` Query param: Number of items per page - `Search param.Field[string]` Query param: Filter devices by name or email ### Returns - `type DEXCommandDeviceListResponse struct{…}` - `Devices []DEXCommandDeviceListResponseDevice` List of eligible devices - `DeviceID string` Device identifier (UUID v4) - `DeviceName string` Device identifier (human readable) - `Eligible bool` Whether the device is eligible for remote captures - `IneligibleReason string` If the device is not eligible, the reason why. - `PersonEmail string` User contact email address - `Platform string` Operating system - `RegistrationID string` Device registration identifier (UUID v4). On multi-user devices, this uniquely identifies a user's registration on the device. - `Status string` Network status - `Timestamp string` Timestamp in ISO format - `Version string` WARP client version ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DEX.Commands.Devices.List(context.TODO(), zero_trust.DEXCommandDeviceListParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), Page: cloudflare.F(1.000000), PerPage: cloudflare.F(1.000000), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "devices": [ { "deviceId": "deviceId", "deviceName": "deviceName", "eligible": true, "ineligibleReason": "ineligibleReason", "personEmail": "personEmail", "platform": "windows", "registrationId": "registrationId", "status": "connected", "timestamp": "2023-10-11T00:00:00Z", "version": "1.0.0" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Downloads ## Download command output file `client.ZeroTrust.DEX.Commands.Downloads.Get(ctx, commandID, filename, query) (*Response, error)` **get** `/accounts/{account_id}/dex/commands/{command_id}/downloads/{filename}` Downloads artifacts for an executed command. Bulk downloads are not supported ### Parameters - `commandID string` Unique identifier for a command - `filename string` - `query DEXCommandDownloadGetParams` - `AccountID param.Field[string]` unique identifier linked to an account in the API request path ### Returns - `type DEXCommandDownloadGetResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) download, err := client.ZeroTrust.DEX.Commands.Downloads.Get( context.TODO(), "5758fefe-ae7e-4538-a39b-1fef6abcb909", "filename", zero_trust.DEXCommandDownloadGetParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", download) } ``` # Quota ## Returns account commands usage, quota, and reset time `client.ZeroTrust.DEX.Commands.Quota.Get(ctx, query) (*DEXCommandQuotaGetResponse, error)` **get** `/accounts/{account_id}/dex/commands/quota` Retrieves the current quota usage and limits for device commands within a specific account, including the time when the quota will reset ### Parameters - `query DEXCommandQuotaGetParams` - `AccountID param.Field[string]` unique identifier linked to an account in the API request path ### Returns - `type DEXCommandQuotaGetResponse struct{…}` - `Quota float64` The remaining number of commands that can be initiated for an account - `QuotaUsage float64` The number of commands that have been initiated for an account - `ResetTime Time` The time when the quota resets ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) quota, err := client.ZeroTrust.DEX.Commands.Quota.Get(context.TODO(), zero_trust.DEXCommandQuotaGetParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", quota.Quota) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "quota": 0, "quota_usage": 0, "reset_time": "2019-12-27T18:11:19.117Z" }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Colos ## List Cloudflare colos `client.ZeroTrust.DEX.Colos.List(ctx, params) (*SinglePage[DEXColoListResponse], error)` **get** `/accounts/{account_id}/dex/colos` List Cloudflare colos that account's devices were connected to during a time period, sorted by usage starting from the most used colo. Colos without traffic are also returned and sorted alphabetically. ### Parameters - `params DEXColoListParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account in the API request path. - `From param.Field[string]` Query param: Start time for connection period in ISO (RFC3339 - ISO 8601) format - `To param.Field[string]` Query param: End time for connection period in ISO (RFC3339 - ISO 8601) format - `SortBy param.Field[DEXColoListParamsSortBy]` Query param: Type of usage that colos should be sorted by. If unspecified, returns all Cloudflare colos sorted alphabetically. - `const DEXColoListParamsSortByFleetStatusUsage DEXColoListParamsSortBy = "fleet-status-usage"` - `const DEXColoListParamsSortByApplicationTestsUsage DEXColoListParamsSortBy = "application-tests-usage"` ### Returns - `type DEXColoListResponse struct{…}` - `AirportCode string` Airport code - `City string` City - `CountryCode string` Country code ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DEX.Colos.List(context.TODO(), zero_trust.DEXColoListParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), From: cloudflare.F("2023-08-20T20:45:00Z"), To: cloudflare.F("2023-08-24T20:45:00Z"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "airportCode": "SFO", "city": "San Francisco", "countryCode": "US" } ] } ``` # Fleet Status ## List fleet status details by dimension `client.ZeroTrust.DEX.FleetStatus.Live(ctx, params) (*DEXFleetStatusLiveResponse, error)` **get** `/accounts/{account_id}/dex/fleet-status/live` List details for live (up to 60 minutes) devices using WARP ### Parameters - `params DEXFleetStatusLiveParams` - `AccountID param.Field[string]` Path param: Unique identifier for account - `SinceMinutes param.Field[float64]` Query param: Number of minutes before current time ### Returns - `type DEXFleetStatusLiveResponse struct{…}` - `DeviceStats DEXFleetStatusLiveResponseDeviceStats` - `ByColo []LiveStat` - `UniqueDevicesTotal float64` Number of unique devices - `Value string` - `ByMode []LiveStat` - `UniqueDevicesTotal float64` Number of unique devices - `Value string` - `ByPlatform []LiveStat` - `UniqueDevicesTotal float64` Number of unique devices - `Value string` - `ByStatus []LiveStat` - `UniqueDevicesTotal float64` Number of unique devices - `Value string` - `ByVersion []LiveStat` - `UniqueDevicesTotal float64` Number of unique devices - `Value string` - `UniqueDevicesTotal float64` Number of unique devices ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.DEX.FleetStatus.Live(context.TODO(), zero_trust.DEXFleetStatusLiveParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), SinceMinutes: cloudflare.F(10.000000), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.DeviceStats) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "deviceStats": { "byColo": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byMode": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byPlatform": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byStatus": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byVersion": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "uniqueDevicesTotal": 0 } } } ``` ## List fleet status aggregate details by dimension `client.ZeroTrust.DEX.FleetStatus.OverTime(ctx, params) (*DEXFleetStatusOverTimeResponse, error)` **get** `/accounts/{account_id}/dex/fleet-status/over-time` List details for devices using WARP, up to 7 days ### Parameters - `params DEXFleetStatusOverTimeParams` - `AccountID param.Field[string]` Path param: Unique identifier for account - `From param.Field[string]` Query param: Time range beginning in ISO format - `To param.Field[string]` Query param: Time range end in ISO format - `Colo param.Field[string]` Query param: Cloudflare colo - `DeviceID param.Field[string]` Query param: Device-specific ID, given as UUID v4 ### Returns - `type DEXFleetStatusOverTimeResponse struct{…}` - `DeviceStats DEXFleetStatusOverTimeResponseDeviceStats` - `ByMode []DEXFleetStatusOverTimeResponseDeviceStatsByMode` - `Timestamp string` Timestamp in ISO format - `UniqueDevicesTotal float64` Number of unique devices - `Value string` - `ByStatus []DEXFleetStatusOverTimeResponseDeviceStatsByStatus` - `Timestamp string` Timestamp in ISO format - `UniqueDevicesTotal float64` Number of unique devices - `Value string` - `UniqueDevicesTotal float64` Number of unique devices ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.DEX.FleetStatus.OverTime(context.TODO(), zero_trust.DEXFleetStatusOverTimeParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), From: cloudflare.F("2023-10-11T00:00:00Z"), To: cloudflare.F("2023-10-11T00:00:00Z"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.DeviceStats) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "deviceStats": { "byMode": [ { "timestamp": "2023-10-11T00:00:00Z", "uniqueDevicesTotal": 0, "value": "value" } ], "byStatus": [ { "timestamp": "2023-10-11T00:00:00Z", "uniqueDevicesTotal": 0, "value": "value" } ], "uniqueDevicesTotal": 0 } }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Live Stat - `type LiveStat struct{…}` - `UniqueDevicesTotal float64` Number of unique devices - `Value string` # Devices ## List fleet status devices `client.ZeroTrust.DEX.FleetStatus.Devices.List(ctx, params) (*V4PagePaginationArray[DEXFleetStatusDeviceListResponse], error)` **get** `/accounts/{account_id}/dex/fleet-status/devices` List details for devices using WARP ### Parameters - `params DEXFleetStatusDeviceListParams` - `AccountID param.Field[string]` Path param: Unique identifier for account - `From param.Field[string]` Query param: Time range beginning in ISO format - `Page param.Field[float64]` Query param: Page number - `PerPage param.Field[float64]` Query param: Number of results per page - `To param.Field[string]` Query param: Time range end in ISO format - `Colo param.Field[string]` Query param: Cloudflare colo - `DeviceID param.Field[string]` Query param: Device-specific ID, given as UUID v4 - `Mode param.Field[string]` Query param: The mode under which the WARP client is run - `Platform param.Field[string]` Query param: Operating system - `SortBy param.Field[DEXFleetStatusDeviceListParamsSortBy]` Query param: Dimension to sort results by - `const DEXFleetStatusDeviceListParamsSortByColo DEXFleetStatusDeviceListParamsSortBy = "colo"` - `const DEXFleetStatusDeviceListParamsSortByDeviceID DEXFleetStatusDeviceListParamsSortBy = "device_id"` - `const DEXFleetStatusDeviceListParamsSortByMode DEXFleetStatusDeviceListParamsSortBy = "mode"` - `const DEXFleetStatusDeviceListParamsSortByPlatform DEXFleetStatusDeviceListParamsSortBy = "platform"` - `const DEXFleetStatusDeviceListParamsSortByStatus DEXFleetStatusDeviceListParamsSortBy = "status"` - `const DEXFleetStatusDeviceListParamsSortByTimestamp DEXFleetStatusDeviceListParamsSortBy = "timestamp"` - `const DEXFleetStatusDeviceListParamsSortByVersion DEXFleetStatusDeviceListParamsSortBy = "version"` - `Source param.Field[DEXFleetStatusDeviceListParamsSource]` Query param: Source: * `hourly` - device details aggregated hourly, up to 7 days prior * `last_seen` - device details, up to 60 minutes prior * `raw` - device details, up to 7 days prior - `const DEXFleetStatusDeviceListParamsSourceLastSeen DEXFleetStatusDeviceListParamsSource = "last_seen"` - `const DEXFleetStatusDeviceListParamsSourceHourly DEXFleetStatusDeviceListParamsSource = "hourly"` - `const DEXFleetStatusDeviceListParamsSourceRaw DEXFleetStatusDeviceListParamsSource = "raw"` - `Status param.Field[string]` Query param: Network status - `Version param.Field[string]` Query param: WARP client version ### Returns - `type DEXFleetStatusDeviceListResponse struct{…}` - `Colo string` Cloudflare colo - `DeviceID string` Device identifier (UUID v4) - `Mode string` The mode under which the WARP client is run - `Platform string` Operating system - `Status string` Network status - `Timestamp string` Timestamp in ISO format - `Version string` WARP client version - `AlwaysOn bool` - `BatteryCharging bool` - `BatteryCycles int64` - `BatteryPct float64` - `ConnectionType string` - `CPUPct float64` - `CPUPctByApp [][]DEXFleetStatusDeviceListResponseCPUPctByApp` - `CPUPct float64` - `Name string` - `DeviceIPV4 DEXFleetStatusDeviceListResponseDeviceIPV4` - `Address string` - `ASN int64` - `Aso string` - `Location DEXFleetStatusDeviceListResponseDeviceIPV4Location` - `City string` - `CountryISO string` - `StateISO string` - `Zip string` - `Netmask string` - `Version string` - `DeviceIPV6 DEXFleetStatusDeviceListResponseDeviceIPV6` - `Address string` - `ASN int64` - `Aso string` - `Location DEXFleetStatusDeviceListResponseDeviceIPV6Location` - `City string` - `CountryISO string` - `StateISO string` - `Zip string` - `Netmask string` - `Version string` - `DeviceName string` Device identifier (human readable) - `DiskReadBps int64` - `DiskUsagePct float64` - `DiskWriteBps int64` - `DOHSubdomain string` - `EstimatedLossPct float64` - `FirewallEnabled bool` - `GatewayIPV4 DEXFleetStatusDeviceListResponseGatewayIPV4` - `Address string` - `ASN int64` - `Aso string` - `Location DEXFleetStatusDeviceListResponseGatewayIPV4Location` - `City string` - `CountryISO string` - `StateISO string` - `Zip string` - `Netmask string` - `Version string` - `GatewayIPV6 DEXFleetStatusDeviceListResponseGatewayIPV6` - `Address string` - `ASN int64` - `Aso string` - `Location DEXFleetStatusDeviceListResponseGatewayIPV6Location` - `City string` - `CountryISO string` - `StateISO string` - `Zip string` - `Netmask string` - `Version string` - `HandshakeLatencyMs float64` - `ISPIPV4 DEXFleetStatusDeviceListResponseISPIPV4` - `Address string` - `ASN int64` - `Aso string` - `Location DEXFleetStatusDeviceListResponseISPIPV4Location` - `City string` - `CountryISO string` - `StateISO string` - `Zip string` - `Netmask string` - `Version string` - `ISPIPV6 DEXFleetStatusDeviceListResponseISPIPV6` - `Address string` - `ASN int64` - `Aso string` - `Location DEXFleetStatusDeviceListResponseISPIPV6Location` - `City string` - `CountryISO string` - `StateISO string` - `Zip string` - `Netmask string` - `Version string` - `Metal string` - `NetworkRcvdBps int64` - `NetworkSentBps int64` - `NetworkSsid string` - `PersonEmail string` User contact email address - `RamAvailableKB int64` - `RamUsedPct float64` - `RamUsedPctByApp [][]DEXFleetStatusDeviceListResponseRamUsedPctByApp` - `Name string` - `RamUsedPct float64` - `SwitchLocked bool` - `WifiStrengthDbm int64` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DEX.FleetStatus.Devices.List(context.TODO(), zero_trust.DEXFleetStatusDeviceListParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), From: cloudflare.F("2023-10-11T00:00:00Z"), Page: cloudflare.F(1.000000), PerPage: cloudflare.F(10.000000), To: cloudflare.F("2023-10-11T00:00:00Z"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "colo": "SJC", "deviceId": "deviceId", "mode": "proxy", "platform": "windows", "status": "connected", "timestamp": "2023-10-11T00:00:00Z", "version": "1.0.0", "alwaysOn": true, "batteryCharging": true, "batteryCycles": 0, "batteryPct": 0, "connectionType": "connectionType", "cpuPct": 0, "cpuPctByApp": [ [ { "cpu_pct": 0, "name": "name" } ] ], "deviceIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceName": "deviceName", "diskReadBps": 0, "diskUsagePct": 0, "diskWriteBps": 0, "dohSubdomain": "dohSubdomain", "estimatedLossPct": 0, "firewallEnabled": true, "gatewayIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "gatewayIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "handshakeLatencyMs": 0, "ispIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "ispIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "metal": "metal", "networkRcvdBps": 0, "networkSentBps": 0, "networkSsid": "networkSsid", "personEmail": "personEmail", "ramAvailableKb": 0, "ramUsedPct": 0, "ramUsedPctByApp": [ [ { "name": "name", "ram_used_pct": 0 } ] ], "switchLocked": true, "wifiStrengthDbm": 0 } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # HTTP Tests ## Get details and aggregate metrics for an http test `client.ZeroTrust.DEX.HTTPTests.Get(ctx, testID, params) (*HTTPDetails, error)` **get** `/accounts/{account_id}/dex/http-tests/{test_id}` Get test details and aggregate performance metrics for an http test for a given time period between 1 hour and 7 days. ### Parameters - `testID string` API Resource UUID tag. - `params DEXHTTPTestGetParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account in the API request path. - `From param.Field[string]` Query param: Start time for aggregate metrics in ISO ms - `Interval param.Field[DexhttpTestGetParamsInterval]` Query param: Time interval for aggregate time slots. - `const DexhttpTestGetParamsIntervalMinute DexhttpTestGetParamsInterval = "minute"` - `const DexhttpTestGetParamsIntervalHour DexhttpTestGetParamsInterval = "hour"` - `To param.Field[string]` Query param: End time for aggregate metrics in ISO ms - `Colo param.Field[string]` Query param: Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `DeviceID param.Field[[]string]` Query param: Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `type HTTPDetails struct{…}` - `Host string` The url of the HTTP synthetic application test - `HTTPStats HTTPDetailsHTTPStats` - `AvailabilityPct HTTPDetailsHTTPStatsAvailabilityPct` - `Slots []HTTPDetailsHTTPStatsAvailabilityPctSlot` - `Timestamp string` - `Value float64` - `Avg float64` average observed in the time period - `Max float64` highest observed in the time period - `Min float64` lowest observed in the time period - `DNSResponseTimeMs TestStatOverTime` - `Slots []TestStatOverTimeSlot` - `Timestamp string` - `Value int64` - `Avg int64` average observed in the time period - `Max int64` highest observed in the time period - `Min int64` lowest observed in the time period - `HTTPStatusCode []HTTPDetailsHTTPStatsHTTPStatusCode` - `Status200 int64` - `Status300 int64` - `Status400 int64` - `Status500 int64` - `Timestamp string` - `ResourceFetchTimeMs TestStatOverTime` - `ServerResponseTimeMs TestStatOverTime` - `UniqueDevicesTotal int64` Count of unique devices that have run this test in the given time period - `HTTPStatsByColo []HTTPDetailsHTTPStatsByColo` - `AvailabilityPct HTTPDetailsHTTPStatsByColoAvailabilityPct` - `Slots []HTTPDetailsHTTPStatsByColoAvailabilityPctSlot` - `Timestamp string` - `Value float64` - `Avg float64` average observed in the time period - `Max float64` highest observed in the time period - `Min float64` lowest observed in the time period - `Colo string` - `DNSResponseTimeMs TestStatOverTime` - `HTTPStatusCode []HTTPDetailsHTTPStatsByColoHTTPStatusCode` - `Status200 int64` - `Status300 int64` - `Status400 int64` - `Status500 int64` - `Timestamp string` - `ResourceFetchTimeMs TestStatOverTime` - `ServerResponseTimeMs TestStatOverTime` - `UniqueDevicesTotal int64` Count of unique devices that have run this test in the given time period - `Interval string` The interval at which the HTTP synthetic application test is set to run. - `Kind HTTPDetailsKind` - `const HTTPDetailsKindHTTP HTTPDetailsKind = "http"` - `Method string` The HTTP method to use when running the test - `Name string` The name of the HTTP synthetic application test - `TargetPolicies []DigitalExperienceMonitor` - `ID string` API Resource UUID tag. - `Default bool` Whether the policy is the default for the account - `Name string` - `Targeted bool` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) httpDetails, err := client.ZeroTrust.DEX.HTTPTests.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DEXHTTPTestGetParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), From: cloudflare.F("1689520412000"), Interval: cloudflare.F(zero_trust.DexhttpTestGetParamsIntervalMinute), To: cloudflare.F("1689606812000"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", httpDetails.Host) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "host": "http://example.com", "httpStats": { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "dnsResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "httpStatusCode": [ { "status200": 0, "status300": 0, "status400": 0, "status500": 0, "timestamp": "2023-07-16 15:00:00+00" } ], "resourceFetchTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "serverResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 }, "httpStatsByColo": [ { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "colo": "DFW", "dnsResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "httpStatusCode": [ { "status200": 0, "status300": 0, "status400": 0, "status500": 0, "timestamp": "2023-07-16 15:00:00+00" } ], "resourceFetchTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "serverResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 } ], "interval": "0h5m0s", "kind": "http", "method": "GET", "name": "Atlassian Sign In Page", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true } } ``` ## Domain Types ### HTTP Details - `type HTTPDetails struct{…}` - `Host string` The url of the HTTP synthetic application test - `HTTPStats HTTPDetailsHTTPStats` - `AvailabilityPct HTTPDetailsHTTPStatsAvailabilityPct` - `Slots []HTTPDetailsHTTPStatsAvailabilityPctSlot` - `Timestamp string` - `Value float64` - `Avg float64` average observed in the time period - `Max float64` highest observed in the time period - `Min float64` lowest observed in the time period - `DNSResponseTimeMs TestStatOverTime` - `Slots []TestStatOverTimeSlot` - `Timestamp string` - `Value int64` - `Avg int64` average observed in the time period - `Max int64` highest observed in the time period - `Min int64` lowest observed in the time period - `HTTPStatusCode []HTTPDetailsHTTPStatsHTTPStatusCode` - `Status200 int64` - `Status300 int64` - `Status400 int64` - `Status500 int64` - `Timestamp string` - `ResourceFetchTimeMs TestStatOverTime` - `ServerResponseTimeMs TestStatOverTime` - `UniqueDevicesTotal int64` Count of unique devices that have run this test in the given time period - `HTTPStatsByColo []HTTPDetailsHTTPStatsByColo` - `AvailabilityPct HTTPDetailsHTTPStatsByColoAvailabilityPct` - `Slots []HTTPDetailsHTTPStatsByColoAvailabilityPctSlot` - `Timestamp string` - `Value float64` - `Avg float64` average observed in the time period - `Max float64` highest observed in the time period - `Min float64` lowest observed in the time period - `Colo string` - `DNSResponseTimeMs TestStatOverTime` - `HTTPStatusCode []HTTPDetailsHTTPStatsByColoHTTPStatusCode` - `Status200 int64` - `Status300 int64` - `Status400 int64` - `Status500 int64` - `Timestamp string` - `ResourceFetchTimeMs TestStatOverTime` - `ServerResponseTimeMs TestStatOverTime` - `UniqueDevicesTotal int64` Count of unique devices that have run this test in the given time period - `Interval string` The interval at which the HTTP synthetic application test is set to run. - `Kind HTTPDetailsKind` - `const HTTPDetailsKindHTTP HTTPDetailsKind = "http"` - `Method string` The HTTP method to use when running the test - `Name string` The name of the HTTP synthetic application test - `TargetPolicies []DigitalExperienceMonitor` - `ID string` API Resource UUID tag. - `Default bool` Whether the policy is the default for the account - `Name string` - `Targeted bool` # Percentiles ## Get percentiles for an http test `client.ZeroTrust.DEX.HTTPTests.Percentiles.Get(ctx, testID, params) (*HTTPDetailsPercentiles, error)` **get** `/accounts/{account_id}/dex/http-tests/{test_id}/percentiles` Get percentiles for an http test for a given time period between 1 hour and 7 days. ### Parameters - `testID string` API Resource UUID tag. - `params DEXHTTPTestPercentileGetParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account in the API request path. - `From param.Field[string]` Query param: Start time for the query in ISO (RFC3339 - ISO 8601) format - `To param.Field[string]` Query param: End time for the query in ISO (RFC3339 - ISO 8601) format - `Colo param.Field[string]` Query param: Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `DeviceID param.Field[[]string]` Query param: Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `type HTTPDetailsPercentiles struct{…}` - `DNSResponseTimeMs Percentiles` - `P50 float64` p50 observed in the time period - `P90 float64` p90 observed in the time period - `P95 float64` p95 observed in the time period - `P99 float64` p99 observed in the time period - `ResourceFetchTimeMs Percentiles` - `ServerResponseTimeMs Percentiles` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) httpDetailsPercentiles, err := client.ZeroTrust.DEX.HTTPTests.Percentiles.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DEXHTTPTestPercentileGetParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), From: cloudflare.F("2023-09-20T17:00:00Z"), To: cloudflare.F("2023-09-20T17:00:00Z"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", httpDetailsPercentiles.DNSResponseTimeMs) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "dnsResponseTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "resourceFetchTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "serverResponseTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 } } } ``` ## Domain Types ### HTTP Details Percentiles - `type HTTPDetailsPercentiles struct{…}` - `DNSResponseTimeMs Percentiles` - `P50 float64` p50 observed in the time period - `P90 float64` p90 observed in the time period - `P95 float64` p95 observed in the time period - `P99 float64` p99 observed in the time period - `ResourceFetchTimeMs Percentiles` - `ServerResponseTimeMs Percentiles` ### Test Stat Over Time - `type TestStatOverTime struct{…}` - `Slots []TestStatOverTimeSlot` - `Timestamp string` - `Value int64` - `Avg int64` average observed in the time period - `Max int64` highest observed in the time period - `Min int64` lowest observed in the time period # Tests ## List DEX test analytics `client.ZeroTrust.DEX.Tests.List(ctx, params) (*V4PagePagination[Tests], error)` **get** `/accounts/{account_id}/dex/tests/overview` List DEX tests with overview metrics ### Parameters - `params DEXTestListParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account in the API request path. - `Colo param.Field[string]` Query param: Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `DeviceID param.Field[[]string]` Query param: Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. - `Kind param.Field[DEXTestListParamsKind]` Query param: Filter by test type - `const DEXTestListParamsKindHTTP DEXTestListParamsKind = "http"` - `const DEXTestListParamsKindTraceroute DEXTestListParamsKind = "traceroute"` - `Page param.Field[float64]` Query param: Page number of paginated results - `PerPage param.Field[float64]` Query param: Number of items per page - `TestName param.Field[string]` Query param: Optionally filter results by test name ### Returns - `type Tests struct{…}` - `OverviewMetrics TestsOverviewMetrics` - `TestsTotal int64` number of tests. - `AvgHTTPAvailabilityPct float64` percentage availability for all HTTP test results in response - `AvgTracerouteAvailabilityPct float64` percentage availability for all traceroutes results in response - `Tests []TestsTest` array of test results objects. - `ID string` API Resource UUID tag. - `Created string` date the test was created. - `Description string` the test description defined during configuration - `Enabled bool` if true, then the test will run on targeted devices. Else, the test will not run. - `Host string` - `Interval string` The interval at which the synthetic application test is set to run. - `Kind TestsTestsKind` test type, http or traceroute - `const TestsTestsKindHTTP TestsTestsKind = "http"` - `const TestsTestsKindTraceroute TestsTestsKind = "traceroute"` - `Name string` name given to this test - `Updated string` - `HTTPResults TestsTestsHTTPResults` - `ResourceFetchTime TestsTestsHTTPResultsResourceFetchTime` - `History []TestsTestsHTTPResultsResourceFetchTimeHistory` - `TimePeriod AggregateTimePeriod` - `Units AggregateTimePeriodUnits` - `const AggregateTimePeriodUnitsHours AggregateTimePeriodUnits = "hours"` - `const AggregateTimePeriodUnitsDays AggregateTimePeriodUnits = "days"` - `const AggregateTimePeriodUnitsTestRuns AggregateTimePeriodUnits = "testRuns"` - `Value int64` - `AvgMs int64` - `DeltaPct float64` - `AvgMs int64` - `OverTime TestsTestsHTTPResultsResourceFetchTimeOverTime` - `TimePeriod AggregateTimePeriod` - `Values []TestsTestsHTTPResultsResourceFetchTimeOverTimeValue` - `AvgMs int64` - `Timestamp string` - `HTTPResultsByColo []TestsTestsHTTPResultsByColo` - `Colo string` Cloudflare colo - `ResourceFetchTime TestsTestsHTTPResultsByColoResourceFetchTime` - `History []TestsTestsHTTPResultsByColoResourceFetchTimeHistory` - `TimePeriod AggregateTimePeriod` - `AvgMs int64` - `DeltaPct float64` - `AvgMs int64` - `OverTime TestsTestsHTTPResultsByColoResourceFetchTimeOverTime` - `TimePeriod AggregateTimePeriod` - `Values []TestsTestsHTTPResultsByColoResourceFetchTimeOverTimeValue` - `AvgMs int64` - `Timestamp string` - `Method string` for HTTP, the method to use when running the test - `TargetPolicies []DigitalExperienceMonitor` - `ID string` API Resource UUID tag. - `Default bool` Whether the policy is the default for the account - `Name string` - `Targeted bool` - `TracerouteResults TestsTestsTracerouteResults` - `RoundTripTime TestsTestsTracerouteResultsRoundTripTime` - `History []TestsTestsTracerouteResultsRoundTripTimeHistory` - `TimePeriod AggregateTimePeriod` - `AvgMs int64` - `DeltaPct float64` - `AvgMs int64` - `OverTime TestsTestsTracerouteResultsRoundTripTimeOverTime` - `TimePeriod AggregateTimePeriod` - `Values []TestsTestsTracerouteResultsRoundTripTimeOverTimeValue` - `AvgMs int64` - `Timestamp string` - `TracerouteResultsByColo []TestsTestsTracerouteResultsByColo` - `Colo string` Cloudflare colo - `RoundTripTime TestsTestsTracerouteResultsByColoRoundTripTime` - `History []TestsTestsTracerouteResultsByColoRoundTripTimeHistory` - `TimePeriod AggregateTimePeriod` - `AvgMs int64` - `DeltaPct float64` - `AvgMs int64` - `OverTime TestsTestsTracerouteResultsByColoRoundTripTimeOverTime` - `TimePeriod AggregateTimePeriod` - `Values []TestsTestsTracerouteResultsByColoRoundTripTimeOverTimeValue` - `AvgMs int64` - `Timestamp string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DEX.Tests.List(context.TODO(), zero_trust.DEXTestListParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "overviewMetrics": { "testsTotal": 0, "avgHttpAvailabilityPct": 0, "avgTracerouteAvailabilityPct": 0 }, "tests": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created": "created", "description": "description", "enabled": true, "host": "host", "interval": "interval", "kind": "http", "name": "name", "updated": "updated", "httpResults": { "resourceFetchTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } }, "httpResultsByColo": [ { "colo": "SJC", "resourceFetchTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } } ], "method": "method", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "tracerouteResults": { "roundTripTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } }, "tracerouteResultsByColo": [ { "colo": "SJC", "roundTripTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } } ] } ] } } ``` ## Domain Types ### Aggregate Time Period - `type AggregateTimePeriod struct{…}` - `Units AggregateTimePeriodUnits` - `const AggregateTimePeriodUnitsHours AggregateTimePeriodUnits = "hours"` - `const AggregateTimePeriodUnitsDays AggregateTimePeriodUnits = "days"` - `const AggregateTimePeriodUnitsTestRuns AggregateTimePeriodUnits = "testRuns"` - `Value int64` ### Tests - `type Tests struct{…}` - `OverviewMetrics TestsOverviewMetrics` - `TestsTotal int64` number of tests. - `AvgHTTPAvailabilityPct float64` percentage availability for all HTTP test results in response - `AvgTracerouteAvailabilityPct float64` percentage availability for all traceroutes results in response - `Tests []TestsTest` array of test results objects. - `ID string` API Resource UUID tag. - `Created string` date the test was created. - `Description string` the test description defined during configuration - `Enabled bool` if true, then the test will run on targeted devices. Else, the test will not run. - `Host string` - `Interval string` The interval at which the synthetic application test is set to run. - `Kind TestsTestsKind` test type, http or traceroute - `const TestsTestsKindHTTP TestsTestsKind = "http"` - `const TestsTestsKindTraceroute TestsTestsKind = "traceroute"` - `Name string` name given to this test - `Updated string` - `HTTPResults TestsTestsHTTPResults` - `ResourceFetchTime TestsTestsHTTPResultsResourceFetchTime` - `History []TestsTestsHTTPResultsResourceFetchTimeHistory` - `TimePeriod AggregateTimePeriod` - `Units AggregateTimePeriodUnits` - `const AggregateTimePeriodUnitsHours AggregateTimePeriodUnits = "hours"` - `const AggregateTimePeriodUnitsDays AggregateTimePeriodUnits = "days"` - `const AggregateTimePeriodUnitsTestRuns AggregateTimePeriodUnits = "testRuns"` - `Value int64` - `AvgMs int64` - `DeltaPct float64` - `AvgMs int64` - `OverTime TestsTestsHTTPResultsResourceFetchTimeOverTime` - `TimePeriod AggregateTimePeriod` - `Values []TestsTestsHTTPResultsResourceFetchTimeOverTimeValue` - `AvgMs int64` - `Timestamp string` - `HTTPResultsByColo []TestsTestsHTTPResultsByColo` - `Colo string` Cloudflare colo - `ResourceFetchTime TestsTestsHTTPResultsByColoResourceFetchTime` - `History []TestsTestsHTTPResultsByColoResourceFetchTimeHistory` - `TimePeriod AggregateTimePeriod` - `AvgMs int64` - `DeltaPct float64` - `AvgMs int64` - `OverTime TestsTestsHTTPResultsByColoResourceFetchTimeOverTime` - `TimePeriod AggregateTimePeriod` - `Values []TestsTestsHTTPResultsByColoResourceFetchTimeOverTimeValue` - `AvgMs int64` - `Timestamp string` - `Method string` for HTTP, the method to use when running the test - `TargetPolicies []DigitalExperienceMonitor` - `ID string` API Resource UUID tag. - `Default bool` Whether the policy is the default for the account - `Name string` - `Targeted bool` - `TracerouteResults TestsTestsTracerouteResults` - `RoundTripTime TestsTestsTracerouteResultsRoundTripTime` - `History []TestsTestsTracerouteResultsRoundTripTimeHistory` - `TimePeriod AggregateTimePeriod` - `AvgMs int64` - `DeltaPct float64` - `AvgMs int64` - `OverTime TestsTestsTracerouteResultsRoundTripTimeOverTime` - `TimePeriod AggregateTimePeriod` - `Values []TestsTestsTracerouteResultsRoundTripTimeOverTimeValue` - `AvgMs int64` - `Timestamp string` - `TracerouteResultsByColo []TestsTestsTracerouteResultsByColo` - `Colo string` Cloudflare colo - `RoundTripTime TestsTestsTracerouteResultsByColoRoundTripTime` - `History []TestsTestsTracerouteResultsByColoRoundTripTimeHistory` - `TimePeriod AggregateTimePeriod` - `AvgMs int64` - `DeltaPct float64` - `AvgMs int64` - `OverTime TestsTestsTracerouteResultsByColoRoundTripTimeOverTime` - `TimePeriod AggregateTimePeriod` - `Values []TestsTestsTracerouteResultsByColoRoundTripTimeOverTimeValue` - `AvgMs int64` - `Timestamp string` # Unique Devices ## Get count of devices targeted `client.ZeroTrust.DEX.Tests.UniqueDevices.List(ctx, params) (*UniqueDevices, error)` **get** `/accounts/{account_id}/dex/tests/unique-devices` Returns unique count of devices that have run synthetic application monitoring tests in the past 7 days. ### Parameters - `params DEXTestUniqueDeviceListParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account in the API request path. - `DeviceID param.Field[[]string]` Query param: Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. - `TestName param.Field[string]` Query param: Optionally filter results by test name ### Returns - `type UniqueDevices struct{…}` - `UniqueDevicesTotal int64` total number of unique devices ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) uniqueDevices, err := client.ZeroTrust.DEX.Tests.UniqueDevices.List(context.TODO(), zero_trust.DEXTestUniqueDeviceListParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", uniqueDevices.UniqueDevicesTotal) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "uniqueDevicesTotal": 0 } } ``` ## Domain Types ### Unique Devices - `type UniqueDevices struct{…}` - `UniqueDevicesTotal int64` total number of unique devices # Traceroute Test Results # Network Path ## Get details for a specific traceroute test run `client.ZeroTrust.DEX.TracerouteTestResults.NetworkPath.Get(ctx, testResultID, query) (*DEXTracerouteTestResultNetworkPathGetResponse, error)` **get** `/accounts/{account_id}/dex/traceroute-test-results/{test_result_id}/network-path` Get a breakdown of hops and performance metrics for a specific traceroute test run ### Parameters - `testResultID string` API Resource UUID tag. - `query DEXTracerouteTestResultNetworkPathGetParams` - `AccountID param.Field[string]` unique identifier linked to an account ### Returns - `type DEXTracerouteTestResultNetworkPathGetResponse struct{…}` - `Hops []DEXTracerouteTestResultNetworkPathGetResponseHop` an array of the hops taken by the device to reach the end destination - `TTL int64` - `ASN int64` - `Aso string` - `IPAddress string` - `Location DEXTracerouteTestResultNetworkPathGetResponseHopsLocation` - `City string` - `State string` - `Zip string` - `Mile DEXTracerouteTestResultNetworkPathGetResponseHopsMile` - `const DEXTracerouteTestResultNetworkPathGetResponseHopsMileClientToApp DEXTracerouteTestResultNetworkPathGetResponseHopsMile = "client-to-app"` - `const DEXTracerouteTestResultNetworkPathGetResponseHopsMileClientToCfEgress DEXTracerouteTestResultNetworkPathGetResponseHopsMile = "client-to-cf-egress"` - `const DEXTracerouteTestResultNetworkPathGetResponseHopsMileClientToCfIngress DEXTracerouteTestResultNetworkPathGetResponseHopsMile = "client-to-cf-ingress"` - `const DEXTracerouteTestResultNetworkPathGetResponseHopsMileClientToISP DEXTracerouteTestResultNetworkPathGetResponseHopsMile = "client-to-isp"` - `Name string` - `PacketLossPct float64` - `RTTMs int64` - `ResultID string` API Resource UUID tag. - `DeviceName string` name of the device associated with this network path response - `TestID string` API Resource UUID tag. - `TestName string` name of the tracroute test ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) networkPath, err := client.ZeroTrust.DEX.TracerouteTestResults.NetworkPath.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DEXTracerouteTestResultNetworkPathGetParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", networkPath.Hops) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "hops": [ { "ttl": 0, "asn": 0, "aso": "aso", "ipAddress": "ipAddress", "location": { "city": "city", "state": "state", "zip": "zip" }, "mile": "client-to-app", "name": "name", "packetLossPct": 0, "rttMs": 0 } ], "resultId": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "deviceName": "deviceName", "testId": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "testName": "testName" } } ``` # Traceroute Tests ## Get details and aggregate metrics for a traceroute test `client.ZeroTrust.DEX.TracerouteTests.Get(ctx, testID, params) (*Traceroute, error)` **get** `/accounts/{account_id}/dex/traceroute-tests/{test_id}` Get test details and aggregate performance metrics for an traceroute test for a given time period between 1 hour and 7 days. ### Parameters - `testID string` API Resource UUID tag. - `params DEXTracerouteTestGetParams` - `AccountID param.Field[string]` Path param: Unique identifier linked to an account - `From param.Field[string]` Query param: Start time for aggregate metrics in ISO ms - `Interval param.Field[DEXTracerouteTestGetParamsInterval]` Query param: Time interval for aggregate time slots. - `const DEXTracerouteTestGetParamsIntervalMinute DEXTracerouteTestGetParamsInterval = "minute"` - `const DEXTracerouteTestGetParamsIntervalHour DEXTracerouteTestGetParamsInterval = "hour"` - `To param.Field[string]` Query param: End time for aggregate metrics in ISO ms - `Colo param.Field[string]` Query param: Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `DeviceID param.Field[[]string]` Query param: Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `type Traceroute struct{…}` - `Host string` The host of the Traceroute synthetic application test - `Interval string` The interval at which the Traceroute synthetic application test is set to run. - `Kind TracerouteKind` - `const TracerouteKindTraceroute TracerouteKind = "traceroute"` - `Name string` The name of the Traceroute synthetic application test - `TargetPolicies []DigitalExperienceMonitor` - `ID string` API Resource UUID tag. - `Default bool` Whether the policy is the default for the account - `Name string` - `Targeted bool` - `TracerouteStats TracerouteTracerouteStats` - `AvailabilityPct TracerouteTracerouteStatsAvailabilityPct` - `Slots []TracerouteTracerouteStatsAvailabilityPctSlot` - `Timestamp string` - `Value float64` - `Avg float64` average observed in the time period - `Max float64` highest observed in the time period - `Min float64` lowest observed in the time period - `HopsCount TestStatOverTime` - `Slots []TestStatOverTimeSlot` - `Timestamp string` - `Value int64` - `Avg int64` average observed in the time period - `Max int64` highest observed in the time period - `Min int64` lowest observed in the time period - `PacketLossPct TracerouteTracerouteStatsPacketLossPct` - `Slots []TracerouteTracerouteStatsPacketLossPctSlot` - `Timestamp string` - `Value float64` - `Avg float64` average observed in the time period - `Max float64` highest observed in the time period - `Min float64` lowest observed in the time period - `RoundTripTimeMs TestStatOverTime` - `UniqueDevicesTotal int64` Count of unique devices that have run this test in the given time period - `TracerouteStatsByColo []TracerouteTracerouteStatsByColo` - `AvailabilityPct TracerouteTracerouteStatsByColoAvailabilityPct` - `Slots []TracerouteTracerouteStatsByColoAvailabilityPctSlot` - `Timestamp string` - `Value float64` - `Avg float64` average observed in the time period - `Max float64` highest observed in the time period - `Min float64` lowest observed in the time period - `Colo string` - `HopsCount TestStatOverTime` - `PacketLossPct TracerouteTracerouteStatsByColoPacketLossPct` - `Slots []TracerouteTracerouteStatsByColoPacketLossPctSlot` - `Timestamp string` - `Value float64` - `Avg float64` average observed in the time period - `Max float64` highest observed in the time period - `Min float64` lowest observed in the time period - `RoundTripTimeMs TestStatOverTime` - `UniqueDevicesTotal int64` Count of unique devices that have run this test in the given time period ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) traceroute, err := client.ZeroTrust.DEX.TracerouteTests.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DEXTracerouteTestGetParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), From: cloudflare.F("1689520412000"), Interval: cloudflare.F(zero_trust.DEXTracerouteTestGetParamsIntervalMinute), To: cloudflare.F("1689606812000"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", traceroute.Host) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "host": "1.1.1.1", "interval": "0h5m0s", "kind": "traceroute", "name": "Atlassian Sign In Page", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "tracerouteStats": { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "hopsCount": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "packetLossPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "roundTripTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 }, "tracerouteStatsByColo": [ { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "colo": "DFW", "hopsCount": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "packetLossPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "roundTripTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 } ] } } ``` ## Get percentiles for a traceroute test `client.ZeroTrust.DEX.TracerouteTests.Percentiles(ctx, testID, params) (*DEXTracerouteTestPercentilesResponse, error)` **get** `/accounts/{account_id}/dex/traceroute-tests/{test_id}/percentiles` Get percentiles for a traceroute test for a given time period between 1 hour and 7 days. ### Parameters - `testID string` API Resource UUID tag. - `params DEXTracerouteTestPercentilesParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account in the API request path. - `From param.Field[string]` Query param: Start time for the query in ISO (RFC3339 - ISO 8601) format - `To param.Field[string]` Query param: End time for the query in ISO (RFC3339 - ISO 8601) format - `Colo param.Field[string]` Query param: Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `DeviceID param.Field[[]string]` Query param: Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `type DEXTracerouteTestPercentilesResponse struct{…}` - `HopsCount Percentiles` - `P50 float64` p50 observed in the time period - `P90 float64` p90 observed in the time period - `P95 float64` p95 observed in the time period - `P99 float64` p99 observed in the time period - `PacketLossPct Percentiles` - `RoundTripTimeMs Percentiles` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.DEX.TracerouteTests.Percentiles( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DEXTracerouteTestPercentilesParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), From: cloudflare.F("2023-09-20T17:00:00Z"), To: cloudflare.F("2023-09-20T17:00:00Z"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.HopsCount) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "hopsCount": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "packetLossPct": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "roundTripTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 } } } ``` ## Get network path breakdown for a traceroute test `client.ZeroTrust.DEX.TracerouteTests.NetworkPath(ctx, testID, params) (*NetworkPathResponse, error)` **get** `/accounts/{account_id}/dex/traceroute-tests/{test_id}/network-path` Get a breakdown of metrics by hop for individual traceroute test runs ### Parameters - `testID string` API Resource UUID tag. - `params DEXTracerouteTestNetworkPathParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account - `DeviceID param.Field[string]` Query param: Device to filter tracroute result runs to - `From param.Field[string]` Query param: Start time for aggregate metrics in ISO ms - `Interval param.Field[DEXTracerouteTestNetworkPathParamsInterval]` Query param: Time interval for aggregate time slots. - `const DEXTracerouteTestNetworkPathParamsIntervalMinute DEXTracerouteTestNetworkPathParamsInterval = "minute"` - `const DEXTracerouteTestNetworkPathParamsIntervalHour DEXTracerouteTestNetworkPathParamsInterval = "hour"` - `To param.Field[string]` Query param: End time for aggregate metrics in ISO ms ### Returns - `type NetworkPathResponse struct{…}` - `ID string` API Resource UUID tag. - `DeviceName string` - `Interval string` The interval at which the Traceroute synthetic application test is set to run. - `Kind NetworkPathResponseKind` - `const NetworkPathResponseKindTraceroute NetworkPathResponseKind = "traceroute"` - `Name string` - `NetworkPath NetworkPath` - `Slots []NetworkPathSlot` - `ID string` API Resource UUID tag. - `ClientToAppRTTMs int64` Round trip time in ms of the client to app mile - `ClientToCfEgressRTTMs int64` Round trip time in ms of the client to Cloudflare egress mile - `ClientToCfIngressRTTMs int64` Round trip time in ms of the client to Cloudflare ingress mile - `Timestamp string` - `ClientToISPRTTMs int64` Round trip time in ms of the client to ISP mile - `Sampling NetworkPathSampling` Specifies the sampling applied, if any, to the slots response. When sampled, results shown represent the first test run to the start of each sampling interval. - `Unit NetworkPathSamplingUnit` - `const NetworkPathSamplingUnitHours NetworkPathSamplingUnit = "hours"` - `Value int64` - `URL string` The host of the Traceroute synthetic application test ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) networkPathResponse, err := client.ZeroTrust.DEX.TracerouteTests.NetworkPath( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DEXTracerouteTestNetworkPathParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), DeviceID: cloudflare.F("deviceId"), From: cloudflare.F("1689520412000"), Interval: cloudflare.F(zero_trust.DEXTracerouteTestNetworkPathParamsIntervalMinute), To: cloudflare.F("1689606812000"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", networkPathResponse.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "deviceName": "deviceName", "interval": "0h5m0s", "kind": "traceroute", "name": "name", "networkPath": { "slots": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "clientToAppRttMs": 0, "clientToCfEgressRttMs": 0, "clientToCfIngressRttMs": 0, "timestamp": "2023-07-16 15:00:00+00", "clientToIspRttMs": 0 } ], "sampling": { "unit": "hours", "value": 0 } }, "url": "1.1.1.1" } } ``` ## Domain Types ### Traceroute - `type Traceroute struct{…}` - `Host string` The host of the Traceroute synthetic application test - `Interval string` The interval at which the Traceroute synthetic application test is set to run. - `Kind TracerouteKind` - `const TracerouteKindTraceroute TracerouteKind = "traceroute"` - `Name string` The name of the Traceroute synthetic application test - `TargetPolicies []DigitalExperienceMonitor` - `ID string` API Resource UUID tag. - `Default bool` Whether the policy is the default for the account - `Name string` - `Targeted bool` - `TracerouteStats TracerouteTracerouteStats` - `AvailabilityPct TracerouteTracerouteStatsAvailabilityPct` - `Slots []TracerouteTracerouteStatsAvailabilityPctSlot` - `Timestamp string` - `Value float64` - `Avg float64` average observed in the time period - `Max float64` highest observed in the time period - `Min float64` lowest observed in the time period - `HopsCount TestStatOverTime` - `Slots []TestStatOverTimeSlot` - `Timestamp string` - `Value int64` - `Avg int64` average observed in the time period - `Max int64` highest observed in the time period - `Min int64` lowest observed in the time period - `PacketLossPct TracerouteTracerouteStatsPacketLossPct` - `Slots []TracerouteTracerouteStatsPacketLossPctSlot` - `Timestamp string` - `Value float64` - `Avg float64` average observed in the time period - `Max float64` highest observed in the time period - `Min float64` lowest observed in the time period - `RoundTripTimeMs TestStatOverTime` - `UniqueDevicesTotal int64` Count of unique devices that have run this test in the given time period - `TracerouteStatsByColo []TracerouteTracerouteStatsByColo` - `AvailabilityPct TracerouteTracerouteStatsByColoAvailabilityPct` - `Slots []TracerouteTracerouteStatsByColoAvailabilityPctSlot` - `Timestamp string` - `Value float64` - `Avg float64` average observed in the time period - `Max float64` highest observed in the time period - `Min float64` lowest observed in the time period - `Colo string` - `HopsCount TestStatOverTime` - `PacketLossPct TracerouteTracerouteStatsByColoPacketLossPct` - `Slots []TracerouteTracerouteStatsByColoPacketLossPctSlot` - `Timestamp string` - `Value float64` - `Avg float64` average observed in the time period - `Max float64` highest observed in the time period - `Min float64` lowest observed in the time period - `RoundTripTimeMs TestStatOverTime` - `UniqueDevicesTotal int64` Count of unique devices that have run this test in the given time period # Rules ## Get DEX Rule `client.ZeroTrust.DEX.Rules.Get(ctx, ruleID, query) (*DEXRuleGetResponse, error)` **get** `/accounts/{account_id}/dex/rules/{rule_id}` Get details for a DEX Rule ### Parameters - `ruleID string` API Resource UUID tag. - `query DEXRuleGetParams` - `AccountID param.Field[string]` unique identifier linked to an account in the API request path ### Returns - `type DEXRuleGetResponse struct{…}` - `ID string` API Resource UUID tag. - `CreatedAt string` - `Match string` - `Name string` - `Description string` - `TargetedTests []DEXRuleGetResponseTargetedTest` - `Data DEXRuleGetResponseTargetedTestsData` The configuration object which contains the details for the WARP client to conduct the test. - `Host string` The desired endpoint to test. - `Kind DEXRuleGetResponseTargetedTestsDataKind` The type of test. - `const DEXRuleGetResponseTargetedTestsDataKindHTTP DEXRuleGetResponseTargetedTestsDataKind = "http"` - `const DEXRuleGetResponseTargetedTestsDataKindTraceroute DEXRuleGetResponseTargetedTestsDataKind = "traceroute"` - `Method DEXRuleGetResponseTargetedTestsDataMethod` The HTTP request method type. - `const DEXRuleGetResponseTargetedTestsDataMethodGet DEXRuleGetResponseTargetedTestsDataMethod = "GET"` - `Enabled bool` - `Name string` - `TestID string` - `UpdatedAt string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) rule, err := client.ZeroTrust.DEX.Rules.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DEXRuleGetParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", rule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } } ``` ## Delete a DEX Rule `client.ZeroTrust.DEX.Rules.Delete(ctx, ruleID, body) (*bool, error)` **delete** `/accounts/{account_id}/dex/rules/{rule_id}` Delete a DEX Rule ### Parameters - `ruleID string` API Resource UUID tag. - `body DEXRuleDeleteParams` - `AccountID param.Field[string]` unique identifier linked to an account in the API request path ### Returns - `type DEXRuleDeleteResponseEnvelopeResult bool` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) rule, err := client.ZeroTrust.DEX.Rules.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DEXRuleDeleteParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", rule) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": true } ``` ## Update a DEX Rule `client.ZeroTrust.DEX.Rules.Update(ctx, ruleID, params) (*DEXRuleUpdateResponse, error)` **patch** `/accounts/{account_id}/dex/rules/{rule_id}` Update a DEX Rule ### Parameters - `ruleID string` API Resource UUID tag. - `params DEXRuleUpdateParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account in the API request path - `Description param.Field[string]` Body param - `Match param.Field[string]` Body param: The wirefilter expression to match. - `Name param.Field[string]` Body param: The name of the Rule. ### Returns - `type DEXRuleUpdateResponse struct{…}` - `ID string` API Resource UUID tag. - `CreatedAt string` - `Match string` - `Name string` - `Description string` - `TargetedTests []DEXRuleUpdateResponseTargetedTest` - `Data DEXRuleUpdateResponseTargetedTestsData` The configuration object which contains the details for the WARP client to conduct the test. - `Host string` The desired endpoint to test. - `Kind DEXRuleUpdateResponseTargetedTestsDataKind` The type of test. - `const DEXRuleUpdateResponseTargetedTestsDataKindHTTP DEXRuleUpdateResponseTargetedTestsDataKind = "http"` - `const DEXRuleUpdateResponseTargetedTestsDataKindTraceroute DEXRuleUpdateResponseTargetedTestsDataKind = "traceroute"` - `Method DEXRuleUpdateResponseTargetedTestsDataMethod` The HTTP request method type. - `const DEXRuleUpdateResponseTargetedTestsDataMethodGet DEXRuleUpdateResponseTargetedTestsDataMethod = "GET"` - `Enabled bool` - `Name string` - `TestID string` - `UpdatedAt string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) rule, err := client.ZeroTrust.DEX.Rules.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.DEXRuleUpdateParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", rule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } } ``` ## Create a DEX Rule `client.ZeroTrust.DEX.Rules.New(ctx, params) (*DEXRuleNewResponse, error)` **post** `/accounts/{account_id}/dex/rules` Create a DEX Rule ### Parameters - `params DEXRuleNewParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account in the API request path - `Match param.Field[string]` Body param: The wirefilter expression to match. - `Name param.Field[string]` Body param: The name of the Rule. - `Description param.Field[string]` Body param ### Returns - `type DEXRuleNewResponse struct{…}` - `ID string` API Resource UUID tag. - `CreatedAt string` - `Match string` - `Name string` - `Description string` - `TargetedTests []DEXRuleNewResponseTargetedTest` - `Data DEXRuleNewResponseTargetedTestsData` The configuration object which contains the details for the WARP client to conduct the test. - `Host string` The desired endpoint to test. - `Kind DEXRuleNewResponseTargetedTestsDataKind` The type of test. - `const DEXRuleNewResponseTargetedTestsDataKindHTTP DEXRuleNewResponseTargetedTestsDataKind = "http"` - `const DEXRuleNewResponseTargetedTestsDataKindTraceroute DEXRuleNewResponseTargetedTestsDataKind = "traceroute"` - `Method DEXRuleNewResponseTargetedTestsDataMethod` The HTTP request method type. - `const DEXRuleNewResponseTargetedTestsDataMethodGet DEXRuleNewResponseTargetedTestsDataMethod = "GET"` - `Enabled bool` - `Name string` - `TestID string` - `UpdatedAt string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) rule, err := client.ZeroTrust.DEX.Rules.New(context.TODO(), zero_trust.DEXRuleNewParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), Match: cloudflare.F("match"), Name: cloudflare.F("name"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", rule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } } ``` ## List DEX Rules `client.ZeroTrust.DEX.Rules.List(ctx, params) (*V4PagePagination[DEXRuleListResponse], error)` **get** `/accounts/{account_id}/dex/rules` List DEX Rules ### Parameters - `params DEXRuleListParams` - `AccountID param.Field[string]` Path param: unique identifier linked to an account in the API request path - `Page param.Field[float64]` Query param: Page number of paginated results - `PerPage param.Field[float64]` Query param: Number of items per page - `Name param.Field[string]` Query param: Filter results by rule name - `SortBy param.Field[DEXRuleListParamsSortBy]` Query param: Which property to sort results by - `const DEXRuleListParamsSortByName DEXRuleListParamsSortBy = "name"` - `const DEXRuleListParamsSortByCreatedAt DEXRuleListParamsSortBy = "created_at"` - `const DEXRuleListParamsSortByUpdatedAt DEXRuleListParamsSortBy = "updated_at"` - `SortOrder param.Field[DEXRuleListParamsSortOrder]` Query param: Sort direction for sort_by property - `const DEXRuleListParamsSortOrderAsc DEXRuleListParamsSortOrder = "ASC"` - `const DEXRuleListParamsSortOrderDesc DEXRuleListParamsSortOrder = "DESC"` ### Returns - `type DEXRuleListResponse struct{…}` - `Rules []DEXRuleListResponseRule` - `ID string` API Resource UUID tag. - `CreatedAt string` - `Match string` - `Name string` - `Description string` - `TargetedTests []DEXRuleListResponseRulesTargetedTest` - `Data DEXRuleListResponseRulesTargetedTestsData` The configuration object which contains the details for the WARP client to conduct the test. - `Host string` The desired endpoint to test. - `Kind DEXRuleListResponseRulesTargetedTestsDataKind` The type of test. - `const DEXRuleListResponseRulesTargetedTestsDataKindHTTP DEXRuleListResponseRulesTargetedTestsDataKind = "http"` - `const DEXRuleListResponseRulesTargetedTestsDataKindTraceroute DEXRuleListResponseRulesTargetedTestsDataKind = "traceroute"` - `Method DEXRuleListResponseRulesTargetedTestsDataMethod` The HTTP request method type. - `const DEXRuleListResponseRulesTargetedTestsDataMethodGet DEXRuleListResponseRulesTargetedTestsDataMethod = "GET"` - `Enabled bool` - `Name string` - `TestID string` - `UpdatedAt string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DEX.Rules.List(context.TODO(), zero_trust.DEXRuleListParams{ AccountID: cloudflare.F("01a7362d577a6c3019a474fd6f485823"), Page: cloudflare.F(1.000000), PerPage: cloudflare.F(1.000000), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "rules": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Tunnels ## List All Tunnels `client.ZeroTrust.Tunnels.List(ctx, params) (*V4PagePaginationArray[TunnelListResponse], error)` **get** `/accounts/{account_id}/tunnels` Lists and filters all types of Tunnels in an account. ### Parameters - `params TunnelListParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `ExcludePrefix param.Field[string]` Query param - `ExistedAt param.Field[string]` Query param: If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `IncludePrefix param.Field[string]` Query param - `IsDeleted param.Field[bool]` Query param: If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. - `Name param.Field[string]` Query param: A user-friendly name for the tunnel. - `Page param.Field[float64]` Query param: Page number of paginated results. - `PerPage param.Field[float64]` Query param: Number of results to display. - `Status param.Field[TunnelListParamsStatus]` Query param: The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const TunnelListParamsStatusInactive TunnelListParamsStatus = "inactive"` - `const TunnelListParamsStatusDegraded TunnelListParamsStatus = "degraded"` - `const TunnelListParamsStatusHealthy TunnelListParamsStatus = "healthy"` - `const TunnelListParamsStatusDown TunnelListParamsStatus = "down"` - `TunTypes param.Field[[]TunnelListParamsTunType]` Query param: The types of tunnels to filter by, separated by commas. - `const TunnelListParamsTunTypeCfdTunnel TunnelListParamsTunType = "cfd_tunnel"` - `const TunnelListParamsTunTypeWARPConnector TunnelListParamsTunType = "warp_connector"` - `const TunnelListParamsTunTypeWARP TunnelListParamsTunType = "warp"` - `const TunnelListParamsTunTypeMagic TunnelListParamsTunType = "magic"` - `const TunnelListParamsTunTypeIPSec TunnelListParamsTunType = "ip_sec"` - `const TunnelListParamsTunTypeGRE TunnelListParamsTunType = "gre"` - `const TunnelListParamsTunTypeCNI TunnelListParamsTunType = "cni"` - `UUID param.Field[string]` Query param: UUID of the tunnel. - `WasActiveAt param.Field[Time]` Query param - `WasInactiveAt param.Field[Time]` Query param ### Returns - `type TunnelListResponse interface{…}` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `type CloudflareTunnel struct{…}` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `ID string` UUID of the tunnel. - `AccountTag string` Cloudflare account ID - `ConfigSrc CloudflareTunnelConfigSrc` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `const CloudflareTunnelConfigSrcLocal CloudflareTunnelConfigSrc = "local"` - `const CloudflareTunnelConfigSrcCloudflare CloudflareTunnelConfigSrc = "cloudflare"` - `Connections []CloudflareTunnelConnection` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `ConnsActiveAt Time` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `ConnsInactiveAt Time` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Metadata unknown` Metadata associated with the tunnel. - `Name string` A user-friendly name for a tunnel. - `RemoteConfig bool` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `Status CloudflareTunnelStatus` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const CloudflareTunnelStatusInactive CloudflareTunnelStatus = "inactive"` - `const CloudflareTunnelStatusDegraded CloudflareTunnelStatus = "degraded"` - `const CloudflareTunnelStatusHealthy CloudflareTunnelStatus = "healthy"` - `const CloudflareTunnelStatusDown CloudflareTunnelStatus = "down"` - `TunType CloudflareTunnelTunType` The type of tunnel. - `const CloudflareTunnelTunTypeCfdTunnel CloudflareTunnelTunType = "cfd_tunnel"` - `const CloudflareTunnelTunTypeWARPConnector CloudflareTunnelTunType = "warp_connector"` - `const CloudflareTunnelTunTypeWARP CloudflareTunnelTunType = "warp"` - `const CloudflareTunnelTunTypeMagic CloudflareTunnelTunType = "magic"` - `const CloudflareTunnelTunTypeIPSec CloudflareTunnelTunType = "ip_sec"` - `const CloudflareTunnelTunTypeGRE CloudflareTunnelTunType = "gre"` - `const CloudflareTunnelTunTypeCNI CloudflareTunnelTunType = "cni"` - `type TunnelListResponseTunnelWARPConnectorTunnel struct{…}` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `ID string` UUID of the tunnel. - `AccountTag string` Cloudflare account ID - `Connections []TunnelListResponseTunnelWARPConnectorTunnelConnection` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `ConnsActiveAt Time` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `ConnsInactiveAt Time` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Metadata unknown` Metadata associated with the tunnel. - `Name string` A user-friendly name for a tunnel. - `Status TunnelListResponseTunnelWARPConnectorTunnelStatus` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const TunnelListResponseTunnelWARPConnectorTunnelStatusInactive TunnelListResponseTunnelWARPConnectorTunnelStatus = "inactive"` - `const TunnelListResponseTunnelWARPConnectorTunnelStatusDegraded TunnelListResponseTunnelWARPConnectorTunnelStatus = "degraded"` - `const TunnelListResponseTunnelWARPConnectorTunnelStatusHealthy TunnelListResponseTunnelWARPConnectorTunnelStatus = "healthy"` - `const TunnelListResponseTunnelWARPConnectorTunnelStatusDown TunnelListResponseTunnelWARPConnectorTunnelStatus = "down"` - `TunType TunnelListResponseTunnelWARPConnectorTunnelTunType` The type of tunnel. - `const TunnelListResponseTunnelWARPConnectorTunnelTunTypeCfdTunnel TunnelListResponseTunnelWARPConnectorTunnelTunType = "cfd_tunnel"` - `const TunnelListResponseTunnelWARPConnectorTunnelTunTypeWARPConnector TunnelListResponseTunnelWARPConnectorTunnelTunType = "warp_connector"` - `const TunnelListResponseTunnelWARPConnectorTunnelTunTypeWARP TunnelListResponseTunnelWARPConnectorTunnelTunType = "warp"` - `const TunnelListResponseTunnelWARPConnectorTunnelTunTypeMagic TunnelListResponseTunnelWARPConnectorTunnelTunType = "magic"` - `const TunnelListResponseTunnelWARPConnectorTunnelTunTypeIPSec TunnelListResponseTunnelWARPConnectorTunnelTunType = "ip_sec"` - `const TunnelListResponseTunnelWARPConnectorTunnelTunTypeGRE TunnelListResponseTunnelWARPConnectorTunnelTunType = "gre"` - `const TunnelListResponseTunnelWARPConnectorTunnelTunTypeCNI TunnelListResponseTunnelWARPConnectorTunnelTunType = "cni"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Tunnels.List(context.TODO(), zero_trust.TunnelListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Connection - `type Connection struct{…}` - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `UUID string` UUID of the Cloudflare Tunnel connection. # Cloudflared ## List Cloudflare Tunnels `client.ZeroTrust.Tunnels.Cloudflared.List(ctx, params) (*V4PagePaginationArray[CloudflareTunnel], error)` **get** `/accounts/{account_id}/cfd_tunnel` Lists and filters Cloudflare Tunnels in an account. ### Parameters - `params TunnelCloudflaredListParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `ExcludePrefix param.Field[string]` Query param - `ExistedAt param.Field[string]` Query param: If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `IncludePrefix param.Field[string]` Query param - `IsDeleted param.Field[bool]` Query param: If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. - `Name param.Field[string]` Query param: A user-friendly name for a tunnel. - `Page param.Field[float64]` Query param: Page number of paginated results. - `PerPage param.Field[float64]` Query param: Number of results to display. - `Status param.Field[TunnelCloudflaredListParamsStatus]` Query param: The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const TunnelCloudflaredListParamsStatusInactive TunnelCloudflaredListParamsStatus = "inactive"` - `const TunnelCloudflaredListParamsStatusDegraded TunnelCloudflaredListParamsStatus = "degraded"` - `const TunnelCloudflaredListParamsStatusHealthy TunnelCloudflaredListParamsStatus = "healthy"` - `const TunnelCloudflaredListParamsStatusDown TunnelCloudflaredListParamsStatus = "down"` - `UUID param.Field[string]` Query param: UUID of the tunnel. - `WasActiveAt param.Field[Time]` Query param - `WasInactiveAt param.Field[Time]` Query param ### Returns - `type CloudflareTunnel struct{…}` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `ID string` UUID of the tunnel. - `AccountTag string` Cloudflare account ID - `ConfigSrc CloudflareTunnelConfigSrc` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `const CloudflareTunnelConfigSrcLocal CloudflareTunnelConfigSrc = "local"` - `const CloudflareTunnelConfigSrcCloudflare CloudflareTunnelConfigSrc = "cloudflare"` - `Connections []CloudflareTunnelConnection` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `ConnsActiveAt Time` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `ConnsInactiveAt Time` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Metadata unknown` Metadata associated with the tunnel. - `Name string` A user-friendly name for a tunnel. - `RemoteConfig bool` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `Status CloudflareTunnelStatus` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const CloudflareTunnelStatusInactive CloudflareTunnelStatus = "inactive"` - `const CloudflareTunnelStatusDegraded CloudflareTunnelStatus = "degraded"` - `const CloudflareTunnelStatusHealthy CloudflareTunnelStatus = "healthy"` - `const CloudflareTunnelStatusDown CloudflareTunnelStatus = "down"` - `TunType CloudflareTunnelTunType` The type of tunnel. - `const CloudflareTunnelTunTypeCfdTunnel CloudflareTunnelTunType = "cfd_tunnel"` - `const CloudflareTunnelTunTypeWARPConnector CloudflareTunnelTunType = "warp_connector"` - `const CloudflareTunnelTunTypeWARP CloudflareTunnelTunType = "warp"` - `const CloudflareTunnelTunTypeMagic CloudflareTunnelTunType = "magic"` - `const CloudflareTunnelTunTypeIPSec CloudflareTunnelTunType = "ip_sec"` - `const CloudflareTunnelTunTypeGRE CloudflareTunnelTunType = "gre"` - `const CloudflareTunnelTunTypeCNI CloudflareTunnelTunType = "cni"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Tunnels.Cloudflared.List(context.TODO(), zero_trust.TunnelCloudflaredListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a Cloudflare Tunnel `client.ZeroTrust.Tunnels.Cloudflared.Get(ctx, tunnelID, query) (*CloudflareTunnel, error)` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}` Fetches a single Cloudflare Tunnel. ### Parameters - `tunnelID string` UUID of the tunnel. - `query TunnelCloudflaredGetParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type CloudflareTunnel struct{…}` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `ID string` UUID of the tunnel. - `AccountTag string` Cloudflare account ID - `ConfigSrc CloudflareTunnelConfigSrc` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `const CloudflareTunnelConfigSrcLocal CloudflareTunnelConfigSrc = "local"` - `const CloudflareTunnelConfigSrcCloudflare CloudflareTunnelConfigSrc = "cloudflare"` - `Connections []CloudflareTunnelConnection` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `ConnsActiveAt Time` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `ConnsInactiveAt Time` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Metadata unknown` Metadata associated with the tunnel. - `Name string` A user-friendly name for a tunnel. - `RemoteConfig bool` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `Status CloudflareTunnelStatus` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const CloudflareTunnelStatusInactive CloudflareTunnelStatus = "inactive"` - `const CloudflareTunnelStatusDegraded CloudflareTunnelStatus = "degraded"` - `const CloudflareTunnelStatusHealthy CloudflareTunnelStatus = "healthy"` - `const CloudflareTunnelStatusDown CloudflareTunnelStatus = "down"` - `TunType CloudflareTunnelTunType` The type of tunnel. - `const CloudflareTunnelTunTypeCfdTunnel CloudflareTunnelTunType = "cfd_tunnel"` - `const CloudflareTunnelTunTypeWARPConnector CloudflareTunnelTunType = "warp_connector"` - `const CloudflareTunnelTunTypeWARP CloudflareTunnelTunType = "warp"` - `const CloudflareTunnelTunTypeMagic CloudflareTunnelTunType = "magic"` - `const CloudflareTunnelTunTypeIPSec CloudflareTunnelTunType = "ip_sec"` - `const CloudflareTunnelTunTypeGRE CloudflareTunnelTunType = "gre"` - `const CloudflareTunnelTunTypeCNI CloudflareTunnelTunType = "cni"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) cloudflareTunnel, err := client.ZeroTrust.Tunnels.Cloudflared.Get( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelCloudflaredGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", cloudflareTunnel.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Create a Cloudflare Tunnel `client.ZeroTrust.Tunnels.Cloudflared.New(ctx, params) (*CloudflareTunnel, error)` **post** `/accounts/{account_id}/cfd_tunnel` Creates a new Cloudflare Tunnel in an account. ### Parameters - `params TunnelCloudflaredNewParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Name param.Field[string]` Body param: A user-friendly name for a tunnel. - `ConfigSrc param.Field[TunnelCloudflaredNewParamsConfigSrc]` Body param: Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `const TunnelCloudflaredNewParamsConfigSrcLocal TunnelCloudflaredNewParamsConfigSrc = "local"` - `const TunnelCloudflaredNewParamsConfigSrcCloudflare TunnelCloudflaredNewParamsConfigSrc = "cloudflare"` - `TunnelSecret param.Field[string]` Body param: Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string. ### Returns - `type CloudflareTunnel struct{…}` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `ID string` UUID of the tunnel. - `AccountTag string` Cloudflare account ID - `ConfigSrc CloudflareTunnelConfigSrc` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `const CloudflareTunnelConfigSrcLocal CloudflareTunnelConfigSrc = "local"` - `const CloudflareTunnelConfigSrcCloudflare CloudflareTunnelConfigSrc = "cloudflare"` - `Connections []CloudflareTunnelConnection` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `ConnsActiveAt Time` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `ConnsInactiveAt Time` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Metadata unknown` Metadata associated with the tunnel. - `Name string` A user-friendly name for a tunnel. - `RemoteConfig bool` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `Status CloudflareTunnelStatus` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const CloudflareTunnelStatusInactive CloudflareTunnelStatus = "inactive"` - `const CloudflareTunnelStatusDegraded CloudflareTunnelStatus = "degraded"` - `const CloudflareTunnelStatusHealthy CloudflareTunnelStatus = "healthy"` - `const CloudflareTunnelStatusDown CloudflareTunnelStatus = "down"` - `TunType CloudflareTunnelTunType` The type of tunnel. - `const CloudflareTunnelTunTypeCfdTunnel CloudflareTunnelTunType = "cfd_tunnel"` - `const CloudflareTunnelTunTypeWARPConnector CloudflareTunnelTunType = "warp_connector"` - `const CloudflareTunnelTunTypeWARP CloudflareTunnelTunType = "warp"` - `const CloudflareTunnelTunTypeMagic CloudflareTunnelTunType = "magic"` - `const CloudflareTunnelTunTypeIPSec CloudflareTunnelTunType = "ip_sec"` - `const CloudflareTunnelTunTypeGRE CloudflareTunnelTunType = "gre"` - `const CloudflareTunnelTunTypeCNI CloudflareTunnelTunType = "cni"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) cloudflareTunnel, err := client.ZeroTrust.Tunnels.Cloudflared.New(context.TODO(), zero_trust.TunnelCloudflaredNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("blog"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", cloudflareTunnel.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Update a Cloudflare Tunnel `client.ZeroTrust.Tunnels.Cloudflared.Edit(ctx, tunnelID, params) (*CloudflareTunnel, error)` **patch** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}` Updates an existing Cloudflare Tunnel. ### Parameters - `tunnelID string` UUID of the tunnel. - `params TunnelCloudflaredEditParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Name param.Field[string]` Body param: A user-friendly name for a tunnel. - `TunnelSecret param.Field[string]` Body param: Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string. ### Returns - `type CloudflareTunnel struct{…}` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `ID string` UUID of the tunnel. - `AccountTag string` Cloudflare account ID - `ConfigSrc CloudflareTunnelConfigSrc` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `const CloudflareTunnelConfigSrcLocal CloudflareTunnelConfigSrc = "local"` - `const CloudflareTunnelConfigSrcCloudflare CloudflareTunnelConfigSrc = "cloudflare"` - `Connections []CloudflareTunnelConnection` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `ConnsActiveAt Time` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `ConnsInactiveAt Time` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Metadata unknown` Metadata associated with the tunnel. - `Name string` A user-friendly name for a tunnel. - `RemoteConfig bool` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `Status CloudflareTunnelStatus` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const CloudflareTunnelStatusInactive CloudflareTunnelStatus = "inactive"` - `const CloudflareTunnelStatusDegraded CloudflareTunnelStatus = "degraded"` - `const CloudflareTunnelStatusHealthy CloudflareTunnelStatus = "healthy"` - `const CloudflareTunnelStatusDown CloudflareTunnelStatus = "down"` - `TunType CloudflareTunnelTunType` The type of tunnel. - `const CloudflareTunnelTunTypeCfdTunnel CloudflareTunnelTunType = "cfd_tunnel"` - `const CloudflareTunnelTunTypeWARPConnector CloudflareTunnelTunType = "warp_connector"` - `const CloudflareTunnelTunTypeWARP CloudflareTunnelTunType = "warp"` - `const CloudflareTunnelTunTypeMagic CloudflareTunnelTunType = "magic"` - `const CloudflareTunnelTunTypeIPSec CloudflareTunnelTunType = "ip_sec"` - `const CloudflareTunnelTunTypeGRE CloudflareTunnelTunType = "gre"` - `const CloudflareTunnelTunTypeCNI CloudflareTunnelTunType = "cni"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) cloudflareTunnel, err := client.ZeroTrust.Tunnels.Cloudflared.Edit( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelCloudflaredEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", cloudflareTunnel.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Delete a Cloudflare Tunnel `client.ZeroTrust.Tunnels.Cloudflared.Delete(ctx, tunnelID, body) (*CloudflareTunnel, error)` **delete** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}` Deletes a Cloudflare Tunnel from an account. ### Parameters - `tunnelID string` UUID of the tunnel. - `body TunnelCloudflaredDeleteParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type CloudflareTunnel struct{…}` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `ID string` UUID of the tunnel. - `AccountTag string` Cloudflare account ID - `ConfigSrc CloudflareTunnelConfigSrc` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `const CloudflareTunnelConfigSrcLocal CloudflareTunnelConfigSrc = "local"` - `const CloudflareTunnelConfigSrcCloudflare CloudflareTunnelConfigSrc = "cloudflare"` - `Connections []CloudflareTunnelConnection` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `ConnsActiveAt Time` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `ConnsInactiveAt Time` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Metadata unknown` Metadata associated with the tunnel. - `Name string` A user-friendly name for a tunnel. - `RemoteConfig bool` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `Status CloudflareTunnelStatus` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const CloudflareTunnelStatusInactive CloudflareTunnelStatus = "inactive"` - `const CloudflareTunnelStatusDegraded CloudflareTunnelStatus = "degraded"` - `const CloudflareTunnelStatusHealthy CloudflareTunnelStatus = "healthy"` - `const CloudflareTunnelStatusDown CloudflareTunnelStatus = "down"` - `TunType CloudflareTunnelTunType` The type of tunnel. - `const CloudflareTunnelTunTypeCfdTunnel CloudflareTunnelTunType = "cfd_tunnel"` - `const CloudflareTunnelTunTypeWARPConnector CloudflareTunnelTunType = "warp_connector"` - `const CloudflareTunnelTunTypeWARP CloudflareTunnelTunType = "warp"` - `const CloudflareTunnelTunTypeMagic CloudflareTunnelTunType = "magic"` - `const CloudflareTunnelTunTypeIPSec CloudflareTunnelTunType = "ip_sec"` - `const CloudflareTunnelTunTypeGRE CloudflareTunnelTunType = "gre"` - `const CloudflareTunnelTunTypeCNI CloudflareTunnelTunType = "cni"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) cloudflareTunnel, err := client.ZeroTrust.Tunnels.Cloudflared.Delete( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelCloudflaredDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", cloudflareTunnel.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` # Configurations ## Get configuration `client.ZeroTrust.Tunnels.Cloudflared.Configurations.Get(ctx, tunnelID, query) (*TunnelCloudflaredConfigurationGetResponse, error)` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations` Gets the configuration for a remotely-managed tunnel ### Parameters - `tunnelID string` UUID of the tunnel. - `query TunnelCloudflaredConfigurationGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type TunnelCloudflaredConfigurationGetResponse struct{…}` Cloudflare Tunnel configuration - `AccountID string` Identifier. - `Config TunnelCloudflaredConfigurationGetResponseConfig` The tunnel configuration and ingress rules. - `Ingress []TunnelCloudflaredConfigurationGetResponseConfigIngress` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `Hostname string` Public hostname for this service. - `Service string` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `OriginRequest TunnelCloudflaredConfigurationGetResponseConfigIngressOriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `Access TunnelCloudflaredConfigurationGetResponseConfigIngressOriginRequestAccess` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `AUDTag []string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `TeamName string` - `Required bool` Deny traffic that has not fulfilled Access authorization. - `CAPool string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `ConnectTimeout int64` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `DisableChunkedEncoding bool` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `HTTP2Origin bool` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `HTTPHostHeader string` Sets the HTTP Host header on requests sent to the local service. - `KeepAliveConnections int64` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `KeepAliveTimeout int64` Timeout after which an idle keepalive connection can be discarded. - `MatchSnItoHost bool` Auto configure the Hostname on the origin server certificate. - `NoHappyEyeballs bool` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `NoTLSVerify bool` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `OriginServerName string` Hostname that cloudflared should expect from your origin server certificate. - `ProxyType string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `TCPKeepAlive int64` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `TLSTimeout int64` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `Path string` Requests with this path route to this public hostname. - `OriginRequest TunnelCloudflaredConfigurationGetResponseConfigOriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `Access TunnelCloudflaredConfigurationGetResponseConfigOriginRequestAccess` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `AUDTag []string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `TeamName string` - `Required bool` Deny traffic that has not fulfilled Access authorization. - `CAPool string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `ConnectTimeout int64` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `DisableChunkedEncoding bool` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `HTTP2Origin bool` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `HTTPHostHeader string` Sets the HTTP Host header on requests sent to the local service. - `KeepAliveConnections int64` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `KeepAliveTimeout int64` Timeout after which an idle keepalive connection can be discarded. - `MatchSnItoHost bool` Auto configure the Hostname on the origin server certificate. - `NoHappyEyeballs bool` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `NoTLSVerify bool` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `OriginServerName string` Hostname that cloudflared should expect from your origin server certificate. - `ProxyType string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `TCPKeepAlive int64` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `TLSTimeout int64` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `CreatedAt Time` - `Source TunnelCloudflaredConfigurationGetResponseSource` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `const TunnelCloudflaredConfigurationGetResponseSourceLocal TunnelCloudflaredConfigurationGetResponseSource = "local"` - `const TunnelCloudflaredConfigurationGetResponseSourceCloudflare TunnelCloudflaredConfigurationGetResponseSource = "cloudflare"` - `TunnelID string` UUID of the tunnel. - `Version int64` The version of the Tunnel Configuration. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) configuration, err := client.ZeroTrust.Tunnels.Cloudflared.Configurations.Get( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelCloudflaredConfigurationGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", configuration.AccountID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "023e105f4ecef8ad9ca31a8372d0c353", "config": { "ingress": [ { "hostname": "tunnel.example.com", "service": "https://localhost:8001", "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "path": "subpath" } ], "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "warp-routing": { "enabled": true } }, "created_at": "2014-01-01T05:20:00.12345Z", "source": "cloudflare", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "version": 0 } } ``` ## Put configuration `client.ZeroTrust.Tunnels.Cloudflared.Configurations.Update(ctx, tunnelID, params) (*TunnelCloudflaredConfigurationUpdateResponse, error)` **put** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations` Adds or updates the configuration for a remotely-managed tunnel. ### Parameters - `tunnelID string` UUID of the tunnel. - `params TunnelCloudflaredConfigurationUpdateParams` - `AccountID param.Field[string]` Path param: Identifier. - `Config param.Field[TunnelCloudflaredConfigurationUpdateParamsConfig]` Body param: The tunnel configuration and ingress rules. - `Ingress []TunnelCloudflaredConfigurationUpdateParamsConfigIngress` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `Hostname string` Public hostname for this service. - `Service string` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `OriginRequest TunnelCloudflaredConfigurationUpdateParamsConfigIngressOriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `Access TunnelCloudflaredConfigurationUpdateParamsConfigIngressOriginRequestAccess` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `AUDTag []string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `TeamName string` - `Required bool` Deny traffic that has not fulfilled Access authorization. - `CAPool string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `ConnectTimeout int64` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `DisableChunkedEncoding bool` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `HTTP2Origin bool` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `HTTPHostHeader string` Sets the HTTP Host header on requests sent to the local service. - `KeepAliveConnections int64` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `KeepAliveTimeout int64` Timeout after which an idle keepalive connection can be discarded. - `MatchSnItoHost bool` Auto configure the Hostname on the origin server certificate. - `NoHappyEyeballs bool` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `NoTLSVerify bool` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `OriginServerName string` Hostname that cloudflared should expect from your origin server certificate. - `ProxyType string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `TCPKeepAlive int64` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `TLSTimeout int64` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `Path string` Requests with this path route to this public hostname. - `OriginRequest TunnelCloudflaredConfigurationUpdateParamsConfigOriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `Access TunnelCloudflaredConfigurationUpdateParamsConfigOriginRequestAccess` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `AUDTag []string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `TeamName string` - `Required bool` Deny traffic that has not fulfilled Access authorization. - `CAPool string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `ConnectTimeout int64` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `DisableChunkedEncoding bool` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `HTTP2Origin bool` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `HTTPHostHeader string` Sets the HTTP Host header on requests sent to the local service. - `KeepAliveConnections int64` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `KeepAliveTimeout int64` Timeout after which an idle keepalive connection can be discarded. - `MatchSnItoHost bool` Auto configure the Hostname on the origin server certificate. - `NoHappyEyeballs bool` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `NoTLSVerify bool` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `OriginServerName string` Hostname that cloudflared should expect from your origin server certificate. - `ProxyType string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `TCPKeepAlive int64` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `TLSTimeout int64` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. ### Returns - `type TunnelCloudflaredConfigurationUpdateResponse struct{…}` Cloudflare Tunnel configuration - `AccountID string` Identifier. - `Config TunnelCloudflaredConfigurationUpdateResponseConfig` The tunnel configuration and ingress rules. - `Ingress []TunnelCloudflaredConfigurationUpdateResponseConfigIngress` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `Hostname string` Public hostname for this service. - `Service string` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `OriginRequest TunnelCloudflaredConfigurationUpdateResponseConfigIngressOriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `Access TunnelCloudflaredConfigurationUpdateResponseConfigIngressOriginRequestAccess` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `AUDTag []string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `TeamName string` - `Required bool` Deny traffic that has not fulfilled Access authorization. - `CAPool string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `ConnectTimeout int64` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `DisableChunkedEncoding bool` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `HTTP2Origin bool` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `HTTPHostHeader string` Sets the HTTP Host header on requests sent to the local service. - `KeepAliveConnections int64` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `KeepAliveTimeout int64` Timeout after which an idle keepalive connection can be discarded. - `MatchSnItoHost bool` Auto configure the Hostname on the origin server certificate. - `NoHappyEyeballs bool` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `NoTLSVerify bool` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `OriginServerName string` Hostname that cloudflared should expect from your origin server certificate. - `ProxyType string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `TCPKeepAlive int64` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `TLSTimeout int64` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `Path string` Requests with this path route to this public hostname. - `OriginRequest TunnelCloudflaredConfigurationUpdateResponseConfigOriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `Access TunnelCloudflaredConfigurationUpdateResponseConfigOriginRequestAccess` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `AUDTag []string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `TeamName string` - `Required bool` Deny traffic that has not fulfilled Access authorization. - `CAPool string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `ConnectTimeout int64` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `DisableChunkedEncoding bool` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `HTTP2Origin bool` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `HTTPHostHeader string` Sets the HTTP Host header on requests sent to the local service. - `KeepAliveConnections int64` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `KeepAliveTimeout int64` Timeout after which an idle keepalive connection can be discarded. - `MatchSnItoHost bool` Auto configure the Hostname on the origin server certificate. - `NoHappyEyeballs bool` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `NoTLSVerify bool` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `OriginServerName string` Hostname that cloudflared should expect from your origin server certificate. - `ProxyType string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `TCPKeepAlive int64` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `TLSTimeout int64` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `CreatedAt Time` - `Source TunnelCloudflaredConfigurationUpdateResponseSource` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `const TunnelCloudflaredConfigurationUpdateResponseSourceLocal TunnelCloudflaredConfigurationUpdateResponseSource = "local"` - `const TunnelCloudflaredConfigurationUpdateResponseSourceCloudflare TunnelCloudflaredConfigurationUpdateResponseSource = "cloudflare"` - `TunnelID string` UUID of the tunnel. - `Version int64` The version of the Tunnel Configuration. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) configuration, err := client.ZeroTrust.Tunnels.Cloudflared.Configurations.Update( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelCloudflaredConfigurationUpdateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", configuration.AccountID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "023e105f4ecef8ad9ca31a8372d0c353", "config": { "ingress": [ { "hostname": "tunnel.example.com", "service": "https://localhost:8001", "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "path": "subpath" } ], "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "warp-routing": { "enabled": true } }, "created_at": "2014-01-01T05:20:00.12345Z", "source": "cloudflare", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "version": 0 } } ``` # Connections ## List Cloudflare Tunnel connections `client.ZeroTrust.Tunnels.Cloudflared.Connections.Get(ctx, tunnelID, query) (*SinglePage[Client], error)` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections` Fetches connection details for a Cloudflare Tunnel. ### Parameters - `tunnelID string` UUID of the tunnel. - `query TunnelCloudflaredConnectionGetParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type Client struct{…}` A client (typically cloudflared) that maintains connections to a Cloudflare data center. - `ID string` UUID of the Cloudflare Tunnel connection. - `Arch string` The cloudflared OS architecture used to establish this connection. - `ConfigVersion int64` The version of the remote tunnel configuration. Used internally to sync cloudflared with the Zero Trust dashboard. - `Conns []ClientConn` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `Features []string` Features enabled for the Cloudflare Tunnel. - `RunAt Time` Timestamp of when the tunnel connection was started. - `Version string` The cloudflared version used to establish this connection. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Tunnels.Cloudflared.Connections.Get( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelCloudflaredConnectionGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "config_version": 0, "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "features": [ "ha-origin" ], "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Clean up Cloudflare Tunnel connections `client.ZeroTrust.Tunnels.Cloudflared.Connections.Delete(ctx, tunnelID, params) (*TunnelCloudflaredConnectionDeleteResponse, error)` **delete** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections` Removes a connection (aka Cloudflare Tunnel Connector) from a Cloudflare Tunnel independently of its current state. If no connector id (client_id) is provided all connectors will be removed. We recommend running this command after rotating tokens. ### Parameters - `tunnelID string` UUID of the tunnel. - `params TunnelCloudflaredConnectionDeleteParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `ClientID param.Field[string]` Query param: UUID of the Cloudflare Tunnel connector. ### Returns - `type TunnelCloudflaredConnectionDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) connection, err := client.ZeroTrust.Tunnels.Cloudflared.Connections.Delete( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelCloudflaredConnectionDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", connection) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Client - `type Client struct{…}` A client (typically cloudflared) that maintains connections to a Cloudflare data center. - `ID string` UUID of the Cloudflare Tunnel connection. - `Arch string` The cloudflared OS architecture used to establish this connection. - `ConfigVersion int64` The version of the remote tunnel configuration. Used internally to sync cloudflared with the Zero Trust dashboard. - `Conns []ClientConn` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `Features []string` Features enabled for the Cloudflare Tunnel. - `RunAt Time` Timestamp of when the tunnel connection was started. - `Version string` The cloudflared version used to establish this connection. # Token ## Get a Cloudflare Tunnel token `client.ZeroTrust.Tunnels.Cloudflared.Token.Get(ctx, tunnelID, query) (*string, error)` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/token` Gets the token used to associate cloudflared with a specific tunnel. ### Parameters - `tunnelID string` UUID of the tunnel. - `query TunnelCloudflaredTokenGetParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type TunnelCloudflaredTokenGetResponseEnvelopeResult string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) token, err := client.ZeroTrust.Tunnels.Cloudflared.Token.Get( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelCloudflaredTokenGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", token) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": "eyJhIjoiNWFiNGU5Z...", "success": true } ``` # Connectors ## Get Cloudflare Tunnel connector `client.ZeroTrust.Tunnels.Cloudflared.Connectors.Get(ctx, tunnelID, connectorID, query) (*Client, error)` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connectors/{connector_id}` Fetches connector and connection details for a Cloudflare Tunnel. ### Parameters - `tunnelID string` UUID of the tunnel. - `connectorID string` UUID of the Cloudflare Tunnel connector. - `query TunnelCloudflaredConnectorGetParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type Client struct{…}` A client (typically cloudflared) that maintains connections to a Cloudflare data center. - `ID string` UUID of the Cloudflare Tunnel connection. - `Arch string` The cloudflared OS architecture used to establish this connection. - `ConfigVersion int64` The version of the remote tunnel configuration. Used internally to sync cloudflared with the Zero Trust dashboard. - `Conns []ClientConn` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `Features []string` Features enabled for the Cloudflare Tunnel. - `RunAt Time` Timestamp of when the tunnel connection was started. - `Version string` The cloudflared version used to establish this connection. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) client, err := client.ZeroTrust.Tunnels.Cloudflared.Connectors.Get( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "1bedc50d-42b3-473c-b108-ff3d10c0d925", zero_trust.TunnelCloudflaredConnectorGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", client.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "config_version": 0, "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "features": [ "ha-origin" ], "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" }, "success": true } ``` # Management ## Get a Cloudflare Tunnel management token `client.ZeroTrust.Tunnels.Cloudflared.Management.New(ctx, tunnelID, params) (*string, error)` **post** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/management` Gets a management token used to access the management resources (i.e. Streaming Logs) of a tunnel. ### Parameters - `tunnelID string` UUID of the tunnel. - `params TunnelCloudflaredManagementNewParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Resources param.Field[[]TunnelCloudflaredManagementNewParamsResource]` Body param - `const TunnelCloudflaredManagementNewParamsResourceLogs TunnelCloudflaredManagementNewParamsResource = "logs"` ### Returns - `type TunnelCloudflaredManagementNewResponseEnvelopeResult string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) management, err := client.ZeroTrust.Tunnels.Cloudflared.Management.New( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelCloudflaredManagementNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Resources: cloudflare.F([]zero_trust.TunnelCloudflaredManagementNewParamsResource{zero_trust.TunnelCloudflaredManagementNewParamsResourceLogs}), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", management) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": "eyJhIjoiNWFiNGU5Z...", "success": true } ``` # WARP Connector ## List Warp Connector Tunnels `client.ZeroTrust.Tunnels.WARPConnector.List(ctx, params) (*V4PagePaginationArray[TunnelWARPConnectorListResponse], error)` **get** `/accounts/{account_id}/warp_connector` Lists and filters Warp Connector Tunnels in an account. ### Parameters - `params TunnelWARPConnectorListParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `ExcludePrefix param.Field[string]` Query param - `ExistedAt param.Field[string]` Query param: If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `IncludePrefix param.Field[string]` Query param - `IsDeleted param.Field[bool]` Query param: If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. - `Name param.Field[string]` Query param: A user-friendly name for the tunnel. - `Page param.Field[float64]` Query param: Page number of paginated results. - `PerPage param.Field[float64]` Query param: Number of results to display. - `Status param.Field[TunnelWARPConnectorListParamsStatus]` Query param: The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const TunnelWARPConnectorListParamsStatusInactive TunnelWARPConnectorListParamsStatus = "inactive"` - `const TunnelWARPConnectorListParamsStatusDegraded TunnelWARPConnectorListParamsStatus = "degraded"` - `const TunnelWARPConnectorListParamsStatusHealthy TunnelWARPConnectorListParamsStatus = "healthy"` - `const TunnelWARPConnectorListParamsStatusDown TunnelWARPConnectorListParamsStatus = "down"` - `UUID param.Field[string]` Query param: UUID of the tunnel. - `WasActiveAt param.Field[Time]` Query param - `WasInactiveAt param.Field[Time]` Query param ### Returns - `type TunnelWARPConnectorListResponse struct{…}` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `ID string` UUID of the tunnel. - `AccountTag string` Cloudflare account ID - `Connections []TunnelWARPConnectorListResponseConnection` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `ConnsActiveAt Time` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `ConnsInactiveAt Time` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Metadata unknown` Metadata associated with the tunnel. - `Name string` A user-friendly name for a tunnel. - `Status TunnelWARPConnectorListResponseStatus` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const TunnelWARPConnectorListResponseStatusInactive TunnelWARPConnectorListResponseStatus = "inactive"` - `const TunnelWARPConnectorListResponseStatusDegraded TunnelWARPConnectorListResponseStatus = "degraded"` - `const TunnelWARPConnectorListResponseStatusHealthy TunnelWARPConnectorListResponseStatus = "healthy"` - `const TunnelWARPConnectorListResponseStatusDown TunnelWARPConnectorListResponseStatus = "down"` - `TunType TunnelWARPConnectorListResponseTunType` The type of tunnel. - `const TunnelWARPConnectorListResponseTunTypeCfdTunnel TunnelWARPConnectorListResponseTunType = "cfd_tunnel"` - `const TunnelWARPConnectorListResponseTunTypeWARPConnector TunnelWARPConnectorListResponseTunType = "warp_connector"` - `const TunnelWARPConnectorListResponseTunTypeWARP TunnelWARPConnectorListResponseTunType = "warp"` - `const TunnelWARPConnectorListResponseTunTypeMagic TunnelWARPConnectorListResponseTunType = "magic"` - `const TunnelWARPConnectorListResponseTunTypeIPSec TunnelWARPConnectorListResponseTunType = "ip_sec"` - `const TunnelWARPConnectorListResponseTunTypeGRE TunnelWARPConnectorListResponseTunType = "gre"` - `const TunnelWARPConnectorListResponseTunTypeCNI TunnelWARPConnectorListResponseTunType = "cni"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Tunnels.WARPConnector.List(context.TODO(), zero_trust.TunnelWARPConnectorListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a Warp Connector Tunnel `client.ZeroTrust.Tunnels.WARPConnector.Get(ctx, tunnelID, query) (*TunnelWARPConnectorGetResponse, error)` **get** `/accounts/{account_id}/warp_connector/{tunnel_id}` Fetches a single Warp Connector Tunnel. ### Parameters - `tunnelID string` UUID of the tunnel. - `query TunnelWARPConnectorGetParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type TunnelWARPConnectorGetResponse struct{…}` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `ID string` UUID of the tunnel. - `AccountTag string` Cloudflare account ID - `Connections []TunnelWARPConnectorGetResponseConnection` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `ConnsActiveAt Time` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `ConnsInactiveAt Time` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Metadata unknown` Metadata associated with the tunnel. - `Name string` A user-friendly name for a tunnel. - `Status TunnelWARPConnectorGetResponseStatus` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const TunnelWARPConnectorGetResponseStatusInactive TunnelWARPConnectorGetResponseStatus = "inactive"` - `const TunnelWARPConnectorGetResponseStatusDegraded TunnelWARPConnectorGetResponseStatus = "degraded"` - `const TunnelWARPConnectorGetResponseStatusHealthy TunnelWARPConnectorGetResponseStatus = "healthy"` - `const TunnelWARPConnectorGetResponseStatusDown TunnelWARPConnectorGetResponseStatus = "down"` - `TunType TunnelWARPConnectorGetResponseTunType` The type of tunnel. - `const TunnelWARPConnectorGetResponseTunTypeCfdTunnel TunnelWARPConnectorGetResponseTunType = "cfd_tunnel"` - `const TunnelWARPConnectorGetResponseTunTypeWARPConnector TunnelWARPConnectorGetResponseTunType = "warp_connector"` - `const TunnelWARPConnectorGetResponseTunTypeWARP TunnelWARPConnectorGetResponseTunType = "warp"` - `const TunnelWARPConnectorGetResponseTunTypeMagic TunnelWARPConnectorGetResponseTunType = "magic"` - `const TunnelWARPConnectorGetResponseTunTypeIPSec TunnelWARPConnectorGetResponseTunType = "ip_sec"` - `const TunnelWARPConnectorGetResponseTunTypeGRE TunnelWARPConnectorGetResponseTunType = "gre"` - `const TunnelWARPConnectorGetResponseTunTypeCNI TunnelWARPConnectorGetResponseTunType = "cni"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) warpConnector, err := client.ZeroTrust.Tunnels.WARPConnector.Get( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelWARPConnectorGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", warpConnector.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Create a Warp Connector Tunnel `client.ZeroTrust.Tunnels.WARPConnector.New(ctx, params) (*TunnelWARPConnectorNewResponse, error)` **post** `/accounts/{account_id}/warp_connector` Creates a new Warp Connector Tunnel in an account. ### Parameters - `params TunnelWARPConnectorNewParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Name param.Field[string]` Body param: A user-friendly name for a tunnel. - `Ha param.Field[bool]` Body param: Indicates that the tunnel will be created to be highly available. If omitted, defaults to false. ### Returns - `type TunnelWARPConnectorNewResponse struct{…}` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `ID string` UUID of the tunnel. - `AccountTag string` Cloudflare account ID - `Connections []TunnelWARPConnectorNewResponseConnection` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `ConnsActiveAt Time` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `ConnsInactiveAt Time` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Metadata unknown` Metadata associated with the tunnel. - `Name string` A user-friendly name for a tunnel. - `Status TunnelWARPConnectorNewResponseStatus` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const TunnelWARPConnectorNewResponseStatusInactive TunnelWARPConnectorNewResponseStatus = "inactive"` - `const TunnelWARPConnectorNewResponseStatusDegraded TunnelWARPConnectorNewResponseStatus = "degraded"` - `const TunnelWARPConnectorNewResponseStatusHealthy TunnelWARPConnectorNewResponseStatus = "healthy"` - `const TunnelWARPConnectorNewResponseStatusDown TunnelWARPConnectorNewResponseStatus = "down"` - `TunType TunnelWARPConnectorNewResponseTunType` The type of tunnel. - `const TunnelWARPConnectorNewResponseTunTypeCfdTunnel TunnelWARPConnectorNewResponseTunType = "cfd_tunnel"` - `const TunnelWARPConnectorNewResponseTunTypeWARPConnector TunnelWARPConnectorNewResponseTunType = "warp_connector"` - `const TunnelWARPConnectorNewResponseTunTypeWARP TunnelWARPConnectorNewResponseTunType = "warp"` - `const TunnelWARPConnectorNewResponseTunTypeMagic TunnelWARPConnectorNewResponseTunType = "magic"` - `const TunnelWARPConnectorNewResponseTunTypeIPSec TunnelWARPConnectorNewResponseTunType = "ip_sec"` - `const TunnelWARPConnectorNewResponseTunTypeGRE TunnelWARPConnectorNewResponseTunType = "gre"` - `const TunnelWARPConnectorNewResponseTunTypeCNI TunnelWARPConnectorNewResponseTunType = "cni"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) warpConnector, err := client.ZeroTrust.Tunnels.WARPConnector.New(context.TODO(), zero_trust.TunnelWARPConnectorNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("blog"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", warpConnector.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Update a Warp Connector Tunnel `client.ZeroTrust.Tunnels.WARPConnector.Edit(ctx, tunnelID, params) (*TunnelWARPConnectorEditResponse, error)` **patch** `/accounts/{account_id}/warp_connector/{tunnel_id}` Updates an existing Warp Connector Tunnel. ### Parameters - `tunnelID string` UUID of the tunnel. - `params TunnelWARPConnectorEditParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Name param.Field[string]` Body param: A user-friendly name for a tunnel. - `TunnelSecret param.Field[string]` Body param: Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string. ### Returns - `type TunnelWARPConnectorEditResponse struct{…}` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `ID string` UUID of the tunnel. - `AccountTag string` Cloudflare account ID - `Connections []TunnelWARPConnectorEditResponseConnection` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `ConnsActiveAt Time` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `ConnsInactiveAt Time` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Metadata unknown` Metadata associated with the tunnel. - `Name string` A user-friendly name for a tunnel. - `Status TunnelWARPConnectorEditResponseStatus` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const TunnelWARPConnectorEditResponseStatusInactive TunnelWARPConnectorEditResponseStatus = "inactive"` - `const TunnelWARPConnectorEditResponseStatusDegraded TunnelWARPConnectorEditResponseStatus = "degraded"` - `const TunnelWARPConnectorEditResponseStatusHealthy TunnelWARPConnectorEditResponseStatus = "healthy"` - `const TunnelWARPConnectorEditResponseStatusDown TunnelWARPConnectorEditResponseStatus = "down"` - `TunType TunnelWARPConnectorEditResponseTunType` The type of tunnel. - `const TunnelWARPConnectorEditResponseTunTypeCfdTunnel TunnelWARPConnectorEditResponseTunType = "cfd_tunnel"` - `const TunnelWARPConnectorEditResponseTunTypeWARPConnector TunnelWARPConnectorEditResponseTunType = "warp_connector"` - `const TunnelWARPConnectorEditResponseTunTypeWARP TunnelWARPConnectorEditResponseTunType = "warp"` - `const TunnelWARPConnectorEditResponseTunTypeMagic TunnelWARPConnectorEditResponseTunType = "magic"` - `const TunnelWARPConnectorEditResponseTunTypeIPSec TunnelWARPConnectorEditResponseTunType = "ip_sec"` - `const TunnelWARPConnectorEditResponseTunTypeGRE TunnelWARPConnectorEditResponseTunType = "gre"` - `const TunnelWARPConnectorEditResponseTunTypeCNI TunnelWARPConnectorEditResponseTunType = "cni"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Tunnels.WARPConnector.Edit( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelWARPConnectorEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Delete a Warp Connector Tunnel `client.ZeroTrust.Tunnels.WARPConnector.Delete(ctx, tunnelID, body) (*TunnelWARPConnectorDeleteResponse, error)` **delete** `/accounts/{account_id}/warp_connector/{tunnel_id}` Deletes a Warp Connector Tunnel from an account. ### Parameters - `tunnelID string` UUID of the tunnel. - `body TunnelWARPConnectorDeleteParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type TunnelWARPConnectorDeleteResponse struct{…}` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `ID string` UUID of the tunnel. - `AccountTag string` Cloudflare account ID - `Connections []TunnelWARPConnectorDeleteResponseConnection` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `IsPendingReconnect bool` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running cloudflared. - `UUID string` UUID of the Cloudflare Tunnel connection. - `ConnsActiveAt Time` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `ConnsInactiveAt Time` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Metadata unknown` Metadata associated with the tunnel. - `Name string` A user-friendly name for a tunnel. - `Status TunnelWARPConnectorDeleteResponseStatus` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `const TunnelWARPConnectorDeleteResponseStatusInactive TunnelWARPConnectorDeleteResponseStatus = "inactive"` - `const TunnelWARPConnectorDeleteResponseStatusDegraded TunnelWARPConnectorDeleteResponseStatus = "degraded"` - `const TunnelWARPConnectorDeleteResponseStatusHealthy TunnelWARPConnectorDeleteResponseStatus = "healthy"` - `const TunnelWARPConnectorDeleteResponseStatusDown TunnelWARPConnectorDeleteResponseStatus = "down"` - `TunType TunnelWARPConnectorDeleteResponseTunType` The type of tunnel. - `const TunnelWARPConnectorDeleteResponseTunTypeCfdTunnel TunnelWARPConnectorDeleteResponseTunType = "cfd_tunnel"` - `const TunnelWARPConnectorDeleteResponseTunTypeWARPConnector TunnelWARPConnectorDeleteResponseTunType = "warp_connector"` - `const TunnelWARPConnectorDeleteResponseTunTypeWARP TunnelWARPConnectorDeleteResponseTunType = "warp"` - `const TunnelWARPConnectorDeleteResponseTunTypeMagic TunnelWARPConnectorDeleteResponseTunType = "magic"` - `const TunnelWARPConnectorDeleteResponseTunTypeIPSec TunnelWARPConnectorDeleteResponseTunType = "ip_sec"` - `const TunnelWARPConnectorDeleteResponseTunTypeGRE TunnelWARPConnectorDeleteResponseTunType = "gre"` - `const TunnelWARPConnectorDeleteResponseTunTypeCNI TunnelWARPConnectorDeleteResponseTunType = "cni"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) warpConnector, err := client.ZeroTrust.Tunnels.WARPConnector.Delete( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelWARPConnectorDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", warpConnector.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` # Token ## Get a Warp Connector Tunnel token `client.ZeroTrust.Tunnels.WARPConnector.Token.Get(ctx, tunnelID, query) (*string, error)` **get** `/accounts/{account_id}/warp_connector/{tunnel_id}/token` Gets the token used to associate warp device with a specific Warp Connector tunnel. ### Parameters - `tunnelID string` UUID of the tunnel. - `query TunnelWARPConnectorTokenGetParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type TunnelWARPConnectorTokenGetResponseEnvelopeResult string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) token, err := client.ZeroTrust.Tunnels.WARPConnector.Token.Get( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelWARPConnectorTokenGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", token) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": "eyJhIjoiNWFiNGU5Z...", "success": true } ``` # Connections ## List WARP Connector Tunnel connections `client.ZeroTrust.Tunnels.WARPConnector.Connections.Get(ctx, tunnelID, query) (*SinglePage[TunnelWARPConnectorConnectionGetResponse], error)` **get** `/accounts/{account_id}/warp_connector/{tunnel_id}/connections` Fetches connection details for a WARP Connector Tunnel. ### Parameters - `tunnelID string` UUID of the tunnel. - `query TunnelWARPConnectorConnectionGetParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type TunnelWARPConnectorConnectionGetResponse struct{…}` A WARP Connector client that maintains a connection to a Cloudflare data center. - `ID string` UUID of the Cloudflare Tunnel connector. - `Arch string` The cloudflared OS architecture used to establish this connection. - `Conns []TunnelWARPConnectorConnectionGetResponseConn` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running WARP Connector. - `Features []string` Features enabled for the Cloudflare Tunnel. - `HaStatus TunnelWARPConnectorConnectionGetResponseHaStatus` The HA status of a WARP Connector client. - `const TunnelWARPConnectorConnectionGetResponseHaStatusOffline TunnelWARPConnectorConnectionGetResponseHaStatus = "offline"` - `const TunnelWARPConnectorConnectionGetResponseHaStatusPassive TunnelWARPConnectorConnectionGetResponseHaStatus = "passive"` - `const TunnelWARPConnectorConnectionGetResponseHaStatusActive TunnelWARPConnectorConnectionGetResponseHaStatus = "active"` - `RunAt Time` Timestamp of when the tunnel connection was started. - `Version string` The cloudflared version used to establish this connection. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Tunnels.WARPConnector.Connections.Get( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelWARPConnectorConnectionGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137" } ], "features": [ "ha-origin" ], "ha_status": "offline", "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Connectors ## Get WARP Connector Tunnel connector `client.ZeroTrust.Tunnels.WARPConnector.Connectors.Get(ctx, tunnelID, connectorID, query) (*TunnelWARPConnectorConnectorGetResponse, error)` **get** `/accounts/{account_id}/warp_connector/{tunnel_id}/connectors/{connector_id}` Fetches connector and connection details for a WARP Connector Tunnel. ### Parameters - `tunnelID string` UUID of the tunnel. - `connectorID string` UUID of the Cloudflare Tunnel connector. - `query TunnelWARPConnectorConnectorGetParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type TunnelWARPConnectorConnectorGetResponse struct{…}` A WARP Connector client that maintains a connection to a Cloudflare data center. - `ID string` UUID of the Cloudflare Tunnel connector. - `Arch string` The cloudflared OS architecture used to establish this connection. - `Conns []TunnelWARPConnectorConnectorGetResponseConn` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `ID string` UUID of the Cloudflare Tunnel connection. - `ClientID string` UUID of the Cloudflare Tunnel connector. - `ClientVersion string` The cloudflared version used to establish this connection. - `ColoName string` The Cloudflare data center used for this connection. - `OpenedAt Time` Timestamp of when the connection was established. - `OriginIP string` The public IP address of the host running WARP Connector. - `Features []string` Features enabled for the Cloudflare Tunnel. - `HaStatus TunnelWARPConnectorConnectorGetResponseHaStatus` The HA status of a WARP Connector client. - `const TunnelWARPConnectorConnectorGetResponseHaStatusOffline TunnelWARPConnectorConnectorGetResponseHaStatus = "offline"` - `const TunnelWARPConnectorConnectorGetResponseHaStatusPassive TunnelWARPConnectorConnectorGetResponseHaStatus = "passive"` - `const TunnelWARPConnectorConnectorGetResponseHaStatusActive TunnelWARPConnectorConnectorGetResponseHaStatus = "active"` - `RunAt Time` Timestamp of when the tunnel connection was started. - `Version string` The cloudflared version used to establish this connection. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) connector, err := client.ZeroTrust.Tunnels.WARPConnector.Connectors.Get( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "1bedc50d-42b3-473c-b108-ff3d10c0d925", zero_trust.TunnelWARPConnectorConnectorGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", connector.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137" } ], "features": [ "ha-origin" ], "ha_status": "offline", "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" }, "success": true } ``` # Failover ## Trigger a manual failover for a WARP Connector Tunnel `client.ZeroTrust.Tunnels.WARPConnector.Failover.Update(ctx, tunnelID, params) (*TunnelWARPConnectorFailoverUpdateResponse, error)` **put** `/accounts/{account_id}/warp_connector/{tunnel_id}/failover` Triggers a manual failover for a specific WARP Connector Tunnel, setting the specified client as the active connector. The tunnel must be configured for high availability (HA) and the client must be linked to the tunnel. ### Parameters - `tunnelID string` UUID of the tunnel. - `params TunnelWARPConnectorFailoverUpdateParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `ClientID param.Field[string]` Body param: UUID of the Cloudflare Tunnel connector. ### Returns - `type TunnelWARPConnectorFailoverUpdateResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) failover, err := client.ZeroTrust.Tunnels.WARPConnector.Failover.Update( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.TunnelWARPConnectorFailoverUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), ClientID: cloudflare.F("1bedc50d-42b3-473c-b108-ff3d10c0d925"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", failover) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` # Connectivity Settings ## Get Zero Trust Connectivity Settings `client.ZeroTrust.ConnectivitySettings.Get(ctx, query) (*ConnectivitySettingGetResponse, error)` **get** `/accounts/{account_id}/zerotrust/connectivity_settings` Gets the Zero Trust Connectivity Settings for the given account. ### Parameters - `query ConnectivitySettingGetParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type ConnectivitySettingGetResponse struct{…}` - `IcmpProxyEnabled bool` A flag to enable the ICMP proxy for the account network. - `OfframpWARPEnabled bool` A flag to enable WARP to WARP traffic. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) connectivitySetting, err := client.ZeroTrust.ConnectivitySettings.Get(context.TODO(), zero_trust.ConnectivitySettingGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", connectivitySetting.IcmpProxyEnabled) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "icmp_proxy_enabled": true, "offramp_warp_enabled": true }, "success": true } ``` ## Updates the Zero Trust Connectivity Settings `client.ZeroTrust.ConnectivitySettings.Edit(ctx, params) (*ConnectivitySettingEditResponse, error)` **patch** `/accounts/{account_id}/zerotrust/connectivity_settings` Updates the Zero Trust Connectivity Settings for the given account. ### Parameters - `params ConnectivitySettingEditParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `IcmpProxyEnabled param.Field[bool]` Body param: A flag to enable the ICMP proxy for the account network. - `OfframpWARPEnabled param.Field[bool]` Body param: A flag to enable WARP to WARP traffic. ### Returns - `type ConnectivitySettingEditResponse struct{…}` - `IcmpProxyEnabled bool` A flag to enable the ICMP proxy for the account network. - `OfframpWARPEnabled bool` A flag to enable WARP to WARP traffic. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.ConnectivitySettings.Edit(context.TODO(), zero_trust.ConnectivitySettingEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.IcmpProxyEnabled) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "icmp_proxy_enabled": true, "offramp_warp_enabled": true }, "success": true } ``` # DLP # Datasets ## Fetch all datasets `client.ZeroTrust.DLP.Datasets.List(ctx, query) (*SinglePage[Dataset], error)` **get** `/accounts/{account_id}/dlp/datasets` Lists all DLP datasets configured for the account, including custom word lists and EDM datasets. ### Parameters - `query DLPDatasetListParams` - `AccountID param.Field[string]` ### Returns - `type Dataset struct{…}` - `ID string` - `Columns []DatasetColumn` - `EntryID string` - `HeaderName string` - `NumCells int64` - `UploadStatus DatasetColumnsUploadStatus` - `const DatasetColumnsUploadStatusEmpty DatasetColumnsUploadStatus = "empty"` - `const DatasetColumnsUploadStatusUploading DatasetColumnsUploadStatus = "uploading"` - `const DatasetColumnsUploadStatusPending DatasetColumnsUploadStatus = "pending"` - `const DatasetColumnsUploadStatusProcessing DatasetColumnsUploadStatus = "processing"` - `const DatasetColumnsUploadStatusFailed DatasetColumnsUploadStatus = "failed"` - `const DatasetColumnsUploadStatusComplete DatasetColumnsUploadStatus = "complete"` - `CreatedAt Time` - `EncodingVersion int64` - `Name string` - `NumCells int64` - `Secret bool` - `Status DatasetStatus` - `const DatasetStatusEmpty DatasetStatus = "empty"` - `const DatasetStatusUploading DatasetStatus = "uploading"` - `const DatasetStatusPending DatasetStatus = "pending"` - `const DatasetStatusProcessing DatasetStatus = "processing"` - `const DatasetStatusFailed DatasetStatus = "failed"` - `const DatasetStatusComplete DatasetStatus = "complete"` - `UpdatedAt Time` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `Uploads []DatasetUpload` - `NumCells int64` - `Status DatasetUploadsStatus` - `const DatasetUploadsStatusEmpty DatasetUploadsStatus = "empty"` - `const DatasetUploadsStatusUploading DatasetUploadsStatus = "uploading"` - `const DatasetUploadsStatusPending DatasetUploadsStatus = "pending"` - `const DatasetUploadsStatusProcessing DatasetUploadsStatus = "processing"` - `const DatasetUploadsStatusFailed DatasetUploadsStatus = "failed"` - `const DatasetUploadsStatusComplete DatasetUploadsStatus = "complete"` - `Version int64` - `CaseSensitive bool` - `Description string` The description of the dataset. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DLP.Datasets.List(context.TODO(), zero_trust.DLPDatasetListParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } ] } ``` ## Fetch a specific dataset `client.ZeroTrust.DLP.Datasets.Get(ctx, datasetID, query) (*Dataset, error)` **get** `/accounts/{account_id}/dlp/datasets/{dataset_id}` Fetch a specific dataset ### Parameters - `datasetID string` - `query DLPDatasetGetParams` - `AccountID param.Field[string]` ### Returns - `type Dataset struct{…}` - `ID string` - `Columns []DatasetColumn` - `EntryID string` - `HeaderName string` - `NumCells int64` - `UploadStatus DatasetColumnsUploadStatus` - `const DatasetColumnsUploadStatusEmpty DatasetColumnsUploadStatus = "empty"` - `const DatasetColumnsUploadStatusUploading DatasetColumnsUploadStatus = "uploading"` - `const DatasetColumnsUploadStatusPending DatasetColumnsUploadStatus = "pending"` - `const DatasetColumnsUploadStatusProcessing DatasetColumnsUploadStatus = "processing"` - `const DatasetColumnsUploadStatusFailed DatasetColumnsUploadStatus = "failed"` - `const DatasetColumnsUploadStatusComplete DatasetColumnsUploadStatus = "complete"` - `CreatedAt Time` - `EncodingVersion int64` - `Name string` - `NumCells int64` - `Secret bool` - `Status DatasetStatus` - `const DatasetStatusEmpty DatasetStatus = "empty"` - `const DatasetStatusUploading DatasetStatus = "uploading"` - `const DatasetStatusPending DatasetStatus = "pending"` - `const DatasetStatusProcessing DatasetStatus = "processing"` - `const DatasetStatusFailed DatasetStatus = "failed"` - `const DatasetStatusComplete DatasetStatus = "complete"` - `UpdatedAt Time` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `Uploads []DatasetUpload` - `NumCells int64` - `Status DatasetUploadsStatus` - `const DatasetUploadsStatusEmpty DatasetUploadsStatus = "empty"` - `const DatasetUploadsStatusUploading DatasetUploadsStatus = "uploading"` - `const DatasetUploadsStatusPending DatasetUploadsStatus = "pending"` - `const DatasetUploadsStatusProcessing DatasetUploadsStatus = "processing"` - `const DatasetUploadsStatusFailed DatasetUploadsStatus = "failed"` - `const DatasetUploadsStatusComplete DatasetUploadsStatus = "complete"` - `Version int64` - `CaseSensitive bool` - `Description string` The description of the dataset. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) dataset, err := client.ZeroTrust.DLP.Datasets.Get( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPDatasetGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", dataset.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } } ``` ## Create a new dataset `client.ZeroTrust.DLP.Datasets.New(ctx, params) (*DatasetCreation, error)` **post** `/accounts/{account_id}/dlp/datasets` Creates a new DLP (Data Loss Prevention) dataset for storing custom detection patterns. Datasets can contain exact match data, word lists, or EDM (Exact Data Match) configurations. ### Parameters - `params DLPDatasetNewParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param - `CaseSensitive param.Field[bool]` Body param: Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if `secret` is true or undefined - `Description param.Field[string]` Body param: The description of the dataset. - `EncodingVersion param.Field[int64]` Body param: Dataset encoding version Non-secret custom word lists with no header are always version 1. Secret EDM lists with no header are version 1. Multicolumn CSV with headers are version 2. Omitting this field provides the default value 0, which is interpreted the same as 1. - `Secret param.Field[bool]` Body param: Generate a secret dataset. If true, the response will include a secret to use with the EDM encoder. If false, the response has no secret and the dataset is uploaded in plaintext. ### Returns - `type DatasetCreation struct{…}` - `Dataset Dataset` - `ID string` - `Columns []DatasetColumn` - `EntryID string` - `HeaderName string` - `NumCells int64` - `UploadStatus DatasetColumnsUploadStatus` - `const DatasetColumnsUploadStatusEmpty DatasetColumnsUploadStatus = "empty"` - `const DatasetColumnsUploadStatusUploading DatasetColumnsUploadStatus = "uploading"` - `const DatasetColumnsUploadStatusPending DatasetColumnsUploadStatus = "pending"` - `const DatasetColumnsUploadStatusProcessing DatasetColumnsUploadStatus = "processing"` - `const DatasetColumnsUploadStatusFailed DatasetColumnsUploadStatus = "failed"` - `const DatasetColumnsUploadStatusComplete DatasetColumnsUploadStatus = "complete"` - `CreatedAt Time` - `EncodingVersion int64` - `Name string` - `NumCells int64` - `Secret bool` - `Status DatasetStatus` - `const DatasetStatusEmpty DatasetStatus = "empty"` - `const DatasetStatusUploading DatasetStatus = "uploading"` - `const DatasetStatusPending DatasetStatus = "pending"` - `const DatasetStatusProcessing DatasetStatus = "processing"` - `const DatasetStatusFailed DatasetStatus = "failed"` - `const DatasetStatusComplete DatasetStatus = "complete"` - `UpdatedAt Time` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `Uploads []DatasetUpload` - `NumCells int64` - `Status DatasetUploadsStatus` - `const DatasetUploadsStatusEmpty DatasetUploadsStatus = "empty"` - `const DatasetUploadsStatusUploading DatasetUploadsStatus = "uploading"` - `const DatasetUploadsStatusPending DatasetUploadsStatus = "pending"` - `const DatasetUploadsStatusProcessing DatasetUploadsStatus = "processing"` - `const DatasetUploadsStatusFailed DatasetUploadsStatus = "failed"` - `const DatasetUploadsStatusComplete DatasetUploadsStatus = "complete"` - `Version int64` - `CaseSensitive bool` - `Description string` The description of the dataset. - `EncodingVersion int64` Encoding version to use for dataset. - `MaxCells int64` - `Version int64` The version to use when uploading the dataset. - `Secret string` The secret to use for Exact Data Match datasets. This is not present in Custom Wordlists. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) datasetCreation, err := client.ZeroTrust.DLP.Datasets.New(context.TODO(), zero_trust.DLPDatasetNewParams{ AccountID: cloudflare.F("account_id"), Name: cloudflare.F("name"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", datasetCreation.Dataset) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "dataset": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" }, "encoding_version": 0, "max_cells": 0, "version": 0, "secret": "secret" } } ``` ## Update details about a dataset `client.ZeroTrust.DLP.Datasets.Update(ctx, datasetID, params) (*Dataset, error)` **put** `/accounts/{account_id}/dlp/datasets/{dataset_id}` Updates the configuration of an existing DLP dataset, such as its name, description, or detection settings. ### Parameters - `datasetID string` - `params DLPDatasetUpdateParams` - `AccountID param.Field[string]` Path param - `CaseSensitive param.Field[bool]` Body param: Determines if the words should be matched in a case-sensitive manner. Only required for custom word lists. - `Description param.Field[string]` Body param: The description of the dataset. - `Name param.Field[string]` Body param: The name of the dataset, must be unique. ### Returns - `type Dataset struct{…}` - `ID string` - `Columns []DatasetColumn` - `EntryID string` - `HeaderName string` - `NumCells int64` - `UploadStatus DatasetColumnsUploadStatus` - `const DatasetColumnsUploadStatusEmpty DatasetColumnsUploadStatus = "empty"` - `const DatasetColumnsUploadStatusUploading DatasetColumnsUploadStatus = "uploading"` - `const DatasetColumnsUploadStatusPending DatasetColumnsUploadStatus = "pending"` - `const DatasetColumnsUploadStatusProcessing DatasetColumnsUploadStatus = "processing"` - `const DatasetColumnsUploadStatusFailed DatasetColumnsUploadStatus = "failed"` - `const DatasetColumnsUploadStatusComplete DatasetColumnsUploadStatus = "complete"` - `CreatedAt Time` - `EncodingVersion int64` - `Name string` - `NumCells int64` - `Secret bool` - `Status DatasetStatus` - `const DatasetStatusEmpty DatasetStatus = "empty"` - `const DatasetStatusUploading DatasetStatus = "uploading"` - `const DatasetStatusPending DatasetStatus = "pending"` - `const DatasetStatusProcessing DatasetStatus = "processing"` - `const DatasetStatusFailed DatasetStatus = "failed"` - `const DatasetStatusComplete DatasetStatus = "complete"` - `UpdatedAt Time` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `Uploads []DatasetUpload` - `NumCells int64` - `Status DatasetUploadsStatus` - `const DatasetUploadsStatusEmpty DatasetUploadsStatus = "empty"` - `const DatasetUploadsStatusUploading DatasetUploadsStatus = "uploading"` - `const DatasetUploadsStatusPending DatasetUploadsStatus = "pending"` - `const DatasetUploadsStatusProcessing DatasetUploadsStatus = "processing"` - `const DatasetUploadsStatusFailed DatasetUploadsStatus = "failed"` - `const DatasetUploadsStatusComplete DatasetUploadsStatus = "complete"` - `Version int64` - `CaseSensitive bool` - `Description string` The description of the dataset. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) dataset, err := client.ZeroTrust.DLP.Datasets.Update( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPDatasetUpdateParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", dataset.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } } ``` ## Delete a dataset `client.ZeroTrust.DLP.Datasets.Delete(ctx, datasetID, body) error` **delete** `/accounts/{account_id}/dlp/datasets/{dataset_id}` This deletes all versions of the dataset. ### Parameters - `datasetID string` - `body DLPDatasetDeleteParams` - `AccountID param.Field[string]` ### Example ```go package main import ( "context" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) err := client.ZeroTrust.DLP.Datasets.Delete( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPDatasetDeleteParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } } ``` ## Domain Types ### Dataset - `type Dataset struct{…}` - `ID string` - `Columns []DatasetColumn` - `EntryID string` - `HeaderName string` - `NumCells int64` - `UploadStatus DatasetColumnsUploadStatus` - `const DatasetColumnsUploadStatusEmpty DatasetColumnsUploadStatus = "empty"` - `const DatasetColumnsUploadStatusUploading DatasetColumnsUploadStatus = "uploading"` - `const DatasetColumnsUploadStatusPending DatasetColumnsUploadStatus = "pending"` - `const DatasetColumnsUploadStatusProcessing DatasetColumnsUploadStatus = "processing"` - `const DatasetColumnsUploadStatusFailed DatasetColumnsUploadStatus = "failed"` - `const DatasetColumnsUploadStatusComplete DatasetColumnsUploadStatus = "complete"` - `CreatedAt Time` - `EncodingVersion int64` - `Name string` - `NumCells int64` - `Secret bool` - `Status DatasetStatus` - `const DatasetStatusEmpty DatasetStatus = "empty"` - `const DatasetStatusUploading DatasetStatus = "uploading"` - `const DatasetStatusPending DatasetStatus = "pending"` - `const DatasetStatusProcessing DatasetStatus = "processing"` - `const DatasetStatusFailed DatasetStatus = "failed"` - `const DatasetStatusComplete DatasetStatus = "complete"` - `UpdatedAt Time` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `Uploads []DatasetUpload` - `NumCells int64` - `Status DatasetUploadsStatus` - `const DatasetUploadsStatusEmpty DatasetUploadsStatus = "empty"` - `const DatasetUploadsStatusUploading DatasetUploadsStatus = "uploading"` - `const DatasetUploadsStatusPending DatasetUploadsStatus = "pending"` - `const DatasetUploadsStatusProcessing DatasetUploadsStatus = "processing"` - `const DatasetUploadsStatusFailed DatasetUploadsStatus = "failed"` - `const DatasetUploadsStatusComplete DatasetUploadsStatus = "complete"` - `Version int64` - `CaseSensitive bool` - `Description string` The description of the dataset. ### Dataset Array - `type DatasetArray []Dataset` - `ID string` - `Columns []DatasetColumn` - `EntryID string` - `HeaderName string` - `NumCells int64` - `UploadStatus DatasetColumnsUploadStatus` - `const DatasetColumnsUploadStatusEmpty DatasetColumnsUploadStatus = "empty"` - `const DatasetColumnsUploadStatusUploading DatasetColumnsUploadStatus = "uploading"` - `const DatasetColumnsUploadStatusPending DatasetColumnsUploadStatus = "pending"` - `const DatasetColumnsUploadStatusProcessing DatasetColumnsUploadStatus = "processing"` - `const DatasetColumnsUploadStatusFailed DatasetColumnsUploadStatus = "failed"` - `const DatasetColumnsUploadStatusComplete DatasetColumnsUploadStatus = "complete"` - `CreatedAt Time` - `EncodingVersion int64` - `Name string` - `NumCells int64` - `Secret bool` - `Status DatasetStatus` - `const DatasetStatusEmpty DatasetStatus = "empty"` - `const DatasetStatusUploading DatasetStatus = "uploading"` - `const DatasetStatusPending DatasetStatus = "pending"` - `const DatasetStatusProcessing DatasetStatus = "processing"` - `const DatasetStatusFailed DatasetStatus = "failed"` - `const DatasetStatusComplete DatasetStatus = "complete"` - `UpdatedAt Time` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `Uploads []DatasetUpload` - `NumCells int64` - `Status DatasetUploadsStatus` - `const DatasetUploadsStatusEmpty DatasetUploadsStatus = "empty"` - `const DatasetUploadsStatusUploading DatasetUploadsStatus = "uploading"` - `const DatasetUploadsStatusPending DatasetUploadsStatus = "pending"` - `const DatasetUploadsStatusProcessing DatasetUploadsStatus = "processing"` - `const DatasetUploadsStatusFailed DatasetUploadsStatus = "failed"` - `const DatasetUploadsStatusComplete DatasetUploadsStatus = "complete"` - `Version int64` - `CaseSensitive bool` - `Description string` The description of the dataset. ### Dataset Creation - `type DatasetCreation struct{…}` - `Dataset Dataset` - `ID string` - `Columns []DatasetColumn` - `EntryID string` - `HeaderName string` - `NumCells int64` - `UploadStatus DatasetColumnsUploadStatus` - `const DatasetColumnsUploadStatusEmpty DatasetColumnsUploadStatus = "empty"` - `const DatasetColumnsUploadStatusUploading DatasetColumnsUploadStatus = "uploading"` - `const DatasetColumnsUploadStatusPending DatasetColumnsUploadStatus = "pending"` - `const DatasetColumnsUploadStatusProcessing DatasetColumnsUploadStatus = "processing"` - `const DatasetColumnsUploadStatusFailed DatasetColumnsUploadStatus = "failed"` - `const DatasetColumnsUploadStatusComplete DatasetColumnsUploadStatus = "complete"` - `CreatedAt Time` - `EncodingVersion int64` - `Name string` - `NumCells int64` - `Secret bool` - `Status DatasetStatus` - `const DatasetStatusEmpty DatasetStatus = "empty"` - `const DatasetStatusUploading DatasetStatus = "uploading"` - `const DatasetStatusPending DatasetStatus = "pending"` - `const DatasetStatusProcessing DatasetStatus = "processing"` - `const DatasetStatusFailed DatasetStatus = "failed"` - `const DatasetStatusComplete DatasetStatus = "complete"` - `UpdatedAt Time` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `Uploads []DatasetUpload` - `NumCells int64` - `Status DatasetUploadsStatus` - `const DatasetUploadsStatusEmpty DatasetUploadsStatus = "empty"` - `const DatasetUploadsStatusUploading DatasetUploadsStatus = "uploading"` - `const DatasetUploadsStatusPending DatasetUploadsStatus = "pending"` - `const DatasetUploadsStatusProcessing DatasetUploadsStatus = "processing"` - `const DatasetUploadsStatusFailed DatasetUploadsStatus = "failed"` - `const DatasetUploadsStatusComplete DatasetUploadsStatus = "complete"` - `Version int64` - `CaseSensitive bool` - `Description string` The description of the dataset. - `EncodingVersion int64` Encoding version to use for dataset. - `MaxCells int64` - `Version int64` The version to use when uploading the dataset. - `Secret string` The secret to use for Exact Data Match datasets. This is not present in Custom Wordlists. # Upload ## Prepare to upload a new version of a dataset `client.ZeroTrust.DLP.Datasets.Upload.New(ctx, datasetID, body) (*NewVersion, error)` **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/upload` Creates a new version of a DLP dataset, allowing you to stage changes before activation. Used for single-column EDM and custom word lists. ### Parameters - `datasetID string` - `body DLPDatasetUploadNewParams` - `AccountID param.Field[string]` ### Returns - `type NewVersion struct{…}` - `EncodingVersion int64` - `MaxCells int64` - `Version int64` - `CaseSensitive bool` - `Columns []NewVersionColumn` - `EntryID string` - `HeaderName string` - `NumCells int64` - `UploadStatus NewVersionColumnsUploadStatus` - `const NewVersionColumnsUploadStatusEmpty NewVersionColumnsUploadStatus = "empty"` - `const NewVersionColumnsUploadStatusUploading NewVersionColumnsUploadStatus = "uploading"` - `const NewVersionColumnsUploadStatusPending NewVersionColumnsUploadStatus = "pending"` - `const NewVersionColumnsUploadStatusProcessing NewVersionColumnsUploadStatus = "processing"` - `const NewVersionColumnsUploadStatusFailed NewVersionColumnsUploadStatus = "failed"` - `const NewVersionColumnsUploadStatusComplete NewVersionColumnsUploadStatus = "complete"` - `Secret string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) newVersion, err := client.ZeroTrust.DLP.Datasets.Upload.New( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPDatasetUploadNewParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", newVersion.EncodingVersion) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "encoding_version": 0, "max_cells": 0, "version": 0, "case_sensitive": true, "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "secret": "secret" } } ``` ## Upload a new version of a dataset `client.ZeroTrust.DLP.Datasets.Upload.Edit(ctx, datasetID, version, dataset, params) (*Dataset, error)` **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/upload/{version}` This is used for single-column EDMv1 and Custom Word Lists. The EDM format can only be created in the Cloudflare dashboard. For other clients, this operation can only be used for non-secret Custom Word Lists. The body must be a UTF-8 encoded, newline (NL or CRNL) separated list of words to be matched. ### Parameters - `datasetID string` - `version int64` - `dataset Reader` - `params DLPDatasetUploadEditParams` - `AccountID param.Field[string]` Path param ### Returns - `type Dataset struct{…}` - `ID string` - `Columns []DatasetColumn` - `EntryID string` - `HeaderName string` - `NumCells int64` - `UploadStatus DatasetColumnsUploadStatus` - `const DatasetColumnsUploadStatusEmpty DatasetColumnsUploadStatus = "empty"` - `const DatasetColumnsUploadStatusUploading DatasetColumnsUploadStatus = "uploading"` - `const DatasetColumnsUploadStatusPending DatasetColumnsUploadStatus = "pending"` - `const DatasetColumnsUploadStatusProcessing DatasetColumnsUploadStatus = "processing"` - `const DatasetColumnsUploadStatusFailed DatasetColumnsUploadStatus = "failed"` - `const DatasetColumnsUploadStatusComplete DatasetColumnsUploadStatus = "complete"` - `CreatedAt Time` - `EncodingVersion int64` - `Name string` - `NumCells int64` - `Secret bool` - `Status DatasetStatus` - `const DatasetStatusEmpty DatasetStatus = "empty"` - `const DatasetStatusUploading DatasetStatus = "uploading"` - `const DatasetStatusPending DatasetStatus = "pending"` - `const DatasetStatusProcessing DatasetStatus = "processing"` - `const DatasetStatusFailed DatasetStatus = "failed"` - `const DatasetStatusComplete DatasetStatus = "complete"` - `UpdatedAt Time` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `Uploads []DatasetUpload` - `NumCells int64` - `Status DatasetUploadsStatus` - `const DatasetUploadsStatusEmpty DatasetUploadsStatus = "empty"` - `const DatasetUploadsStatusUploading DatasetUploadsStatus = "uploading"` - `const DatasetUploadsStatusPending DatasetUploadsStatus = "pending"` - `const DatasetUploadsStatusProcessing DatasetUploadsStatus = "processing"` - `const DatasetUploadsStatusFailed DatasetUploadsStatus = "failed"` - `const DatasetUploadsStatusComplete DatasetUploadsStatus = "complete"` - `Version int64` - `CaseSensitive bool` - `Description string` The description of the dataset. ### Example ```go package main import ( "bytes" "context" "fmt" "io" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) dataset, err := client.ZeroTrust.DLP.Datasets.Upload.Edit( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", int64(0), io.Reader(bytes.NewBuffer([]byte("Example data"))), zero_trust.DLPDatasetUploadEditParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", dataset.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } } ``` ## Domain Types ### New Version - `type NewVersion struct{…}` - `EncodingVersion int64` - `MaxCells int64` - `Version int64` - `CaseSensitive bool` - `Columns []NewVersionColumn` - `EntryID string` - `HeaderName string` - `NumCells int64` - `UploadStatus NewVersionColumnsUploadStatus` - `const NewVersionColumnsUploadStatusEmpty NewVersionColumnsUploadStatus = "empty"` - `const NewVersionColumnsUploadStatusUploading NewVersionColumnsUploadStatus = "uploading"` - `const NewVersionColumnsUploadStatusPending NewVersionColumnsUploadStatus = "pending"` - `const NewVersionColumnsUploadStatusProcessing NewVersionColumnsUploadStatus = "processing"` - `const NewVersionColumnsUploadStatusFailed NewVersionColumnsUploadStatus = "failed"` - `const NewVersionColumnsUploadStatusComplete NewVersionColumnsUploadStatus = "complete"` - `Secret string` # Versions ## Sets the column information for a multi-column upload `client.ZeroTrust.DLP.Datasets.Versions.New(ctx, datasetID, version, params) (*SinglePage[DLPDatasetVersionNewResponse], error)` **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}` This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard. The columns in the response appear in the same order as in the request. ### Parameters - `datasetID string` - `version int64` - `params DLPDatasetVersionNewParams` - `AccountID param.Field[string]` Path param - `Body param.Field[[]DLPDatasetVersionNewParamsBody]` Body param - `type DLPDatasetVersionNewParamsBodyExistingColumn struct{…}` - `EntryID string` - `HeaderName string` - `NumCells int64` - `type DLPDatasetVersionNewParamsBodyNewColumn struct{…}` - `EntryName string` - `HeaderName string` - `NumCells int64` ### Returns - `type DLPDatasetVersionNewResponse struct{…}` - `EntryID string` - `HeaderName string` - `NumCells int64` - `UploadStatus DLPDatasetVersionNewResponseUploadStatus` - `const DLPDatasetVersionNewResponseUploadStatusEmpty DLPDatasetVersionNewResponseUploadStatus = "empty"` - `const DLPDatasetVersionNewResponseUploadStatusUploading DLPDatasetVersionNewResponseUploadStatus = "uploading"` - `const DLPDatasetVersionNewResponseUploadStatusPending DLPDatasetVersionNewResponseUploadStatus = "pending"` - `const DLPDatasetVersionNewResponseUploadStatusProcessing DLPDatasetVersionNewResponseUploadStatus = "processing"` - `const DLPDatasetVersionNewResponseUploadStatusFailed DLPDatasetVersionNewResponseUploadStatus = "failed"` - `const DLPDatasetVersionNewResponseUploadStatusComplete DLPDatasetVersionNewResponseUploadStatus = "complete"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DLP.Datasets.Versions.New( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", int64(0), zero_trust.DLPDatasetVersionNewParams{ AccountID: cloudflare.F("account_id"), Body: []zero_trust.DLPDatasetVersionNewParamsBodyUnion{zero_trust.DLPDatasetVersionNewParamsBodyExistingColumn{ EntryID: cloudflare.F("182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"), }}, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ] } ``` # Entries ## Upload a new version of a multi-column dataset `client.ZeroTrust.DLP.Datasets.Versions.Entries.New(ctx, datasetID, version, entryID, datasetVersionEntry, params) (*DLPDatasetVersionEntryNewResponse, error)` **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}/entries/{entry_id}` This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard. ### Parameters - `datasetID string` - `version int64` - `entryID string` - `datasetVersionEntry Reader` - `params DLPDatasetVersionEntryNewParams` - `AccountID param.Field[string]` Path param ### Returns - `type DLPDatasetVersionEntryNewResponse struct{…}` - `EntryID string` - `HeaderName string` - `NumCells int64` - `UploadStatus DLPDatasetVersionEntryNewResponseUploadStatus` - `const DLPDatasetVersionEntryNewResponseUploadStatusEmpty DLPDatasetVersionEntryNewResponseUploadStatus = "empty"` - `const DLPDatasetVersionEntryNewResponseUploadStatusUploading DLPDatasetVersionEntryNewResponseUploadStatus = "uploading"` - `const DLPDatasetVersionEntryNewResponseUploadStatusPending DLPDatasetVersionEntryNewResponseUploadStatus = "pending"` - `const DLPDatasetVersionEntryNewResponseUploadStatusProcessing DLPDatasetVersionEntryNewResponseUploadStatus = "processing"` - `const DLPDatasetVersionEntryNewResponseUploadStatusFailed DLPDatasetVersionEntryNewResponseUploadStatus = "failed"` - `const DLPDatasetVersionEntryNewResponseUploadStatusComplete DLPDatasetVersionEntryNewResponseUploadStatus = "complete"` ### Example ```go package main import ( "bytes" "context" "fmt" "io" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) entry, err := client.ZeroTrust.DLP.Datasets.Versions.Entries.New( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", int64(0), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", io.Reader(bytes.NewBuffer([]byte("Example data"))), zero_trust.DLPDatasetVersionEntryNewParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", entry.EntryID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } } ``` # Patterns ## Validate a DLP regex pattern `client.ZeroTrust.DLP.Patterns.Validate(ctx, params) (*DLPPatternValidateResponse, error)` **post** `/accounts/{account_id}/dlp/patterns/validate` Validates whether this pattern is a valid regular expression. Rejects it if the regular expression is too complex or can match an unbounded-length string. The regex will be rejected if it uses `*` or `+`. Bound the maximum number of characters that can be matched using a range, e.g. `{1,100}`. ### Parameters - `params DLPPatternValidateParams` - `AccountID param.Field[string]` Path param: Account ID. - `Regex param.Field[string]` Body param - `MaxMatchBytes param.Field[int64]` Body param: Maximum number of bytes that the regular expression can match. If this is `null` then there is no limit on the length. Patterns can use `*` and `+`. Otherwise repeats should use a range `{m,n}` to restrict patterns to the length. If this field is missing, then a default length limit is used. Note that the length is specified in bytes. Since regular expressions use UTF-8 the pattern `.` can match up to 4 bytes. Hence `.{1,256}` has a maximum length of 1024 bytes. ### Returns - `type DLPPatternValidateResponse struct{…}` - `Valid bool` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.DLP.Patterns.Validate(context.TODO(), zero_trust.DLPPatternValidateParams{ AccountID: cloudflare.F("account_id"), Regex: cloudflare.F("regex"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.Valid) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "valid": true } } ``` # Payload Logs ## Get payload log settings `client.ZeroTrust.DLP.PayloadLogs.Get(ctx, query) (*DLPPayloadLogGetResponse, error)` **get** `/accounts/{account_id}/dlp/payload_log` Gets the current payload logging configuration for DLP, showing whether matched content is being logged. ### Parameters - `query DLPPayloadLogGetParams` - `AccountID param.Field[string]` ### Returns - `type DLPPayloadLogGetResponse struct{…}` - `UpdatedAt Time` - `MaskingLevel DLPPayloadLogGetResponseMaskingLevel` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `const DLPPayloadLogGetResponseMaskingLevelFull DLPPayloadLogGetResponseMaskingLevel = "full"` - `const DLPPayloadLogGetResponseMaskingLevelPartial DLPPayloadLogGetResponseMaskingLevel = "partial"` - `const DLPPayloadLogGetResponseMaskingLevelClear DLPPayloadLogGetResponseMaskingLevel = "clear"` - `const DLPPayloadLogGetResponseMaskingLevelDefault DLPPayloadLogGetResponseMaskingLevel = "default"` - `PublicKey string` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) payloadLog, err := client.ZeroTrust.DLP.PayloadLogs.Get(context.TODO(), zero_trust.DLPPayloadLogGetParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", payloadLog.UpdatedAt) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "updated_at": "2019-12-27T18:11:19.117Z", "masking_level": "full", "public_key": "public_key" } } ``` ## Set payload log settings `client.ZeroTrust.DLP.PayloadLogs.Update(ctx, params) (*DLPPayloadLogUpdateResponse, error)` **put** `/accounts/{account_id}/dlp/payload_log` Enables or disables payload logging for DLP matches. When enabled, matched content is stored for review. ### Parameters - `params DLPPayloadLogUpdateParams` - `AccountID param.Field[string]` Path param - `MaskingLevel param.Field[DLPPayloadLogUpdateParamsMaskingLevel]` Body param: Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `const DLPPayloadLogUpdateParamsMaskingLevelFull DLPPayloadLogUpdateParamsMaskingLevel = "full"` - `const DLPPayloadLogUpdateParamsMaskingLevelPartial DLPPayloadLogUpdateParamsMaskingLevel = "partial"` - `const DLPPayloadLogUpdateParamsMaskingLevelClear DLPPayloadLogUpdateParamsMaskingLevel = "clear"` - `const DLPPayloadLogUpdateParamsMaskingLevelDefault DLPPayloadLogUpdateParamsMaskingLevel = "default"` - `PublicKey param.Field[string]` Body param: Base64-encoded public key for encrypting payload logs. - Set to null or empty string to disable payload logging. - Set to a non-empty base64 string to enable payload logging with the given key. For customers with configurable payload masking feature rolled out: - If the field is missing, the existing setting will be kept. Note that this is different from setting to null or empty string. For all other customers: - If the field is missing, the existing setting will be cleared. ### Returns - `type DLPPayloadLogUpdateResponse struct{…}` - `UpdatedAt Time` - `MaskingLevel DLPPayloadLogUpdateResponseMaskingLevel` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `const DLPPayloadLogUpdateResponseMaskingLevelFull DLPPayloadLogUpdateResponseMaskingLevel = "full"` - `const DLPPayloadLogUpdateResponseMaskingLevelPartial DLPPayloadLogUpdateResponseMaskingLevel = "partial"` - `const DLPPayloadLogUpdateResponseMaskingLevelClear DLPPayloadLogUpdateResponseMaskingLevel = "clear"` - `const DLPPayloadLogUpdateResponseMaskingLevelDefault DLPPayloadLogUpdateResponseMaskingLevel = "default"` - `PublicKey string` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) payloadLog, err := client.ZeroTrust.DLP.PayloadLogs.Update(context.TODO(), zero_trust.DLPPayloadLogUpdateParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", payloadLog.UpdatedAt) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "updated_at": "2019-12-27T18:11:19.117Z", "masking_level": "full", "public_key": "public_key" } } ``` # Email # Account Mapping ## Get mapping `client.ZeroTrust.DLP.Email.AccountMapping.Get(ctx, query) (*DLPEmailAccountMappingGetResponse, error)` **get** `/accounts/{account_id}/dlp/email/account_mapping` Retrieves the email provider mapping configuration for DLP email scanning. ### Parameters - `query DLPEmailAccountMappingGetParams` - `AccountID param.Field[string]` ### Returns - `type DLPEmailAccountMappingGetResponse struct{…}` - `AddinIdentifierToken string` - `AuthRequirements DLPEmailAccountMappingGetResponseAuthRequirements` - `type DLPEmailAccountMappingGetResponseAuthRequirementsObject struct{…}` - `AllowedMicrosoftOrganizations []string` - `Type DLPEmailAccountMappingGetResponseAuthRequirementsObjectType` - `const DLPEmailAccountMappingGetResponseAuthRequirementsObjectTypeOrg DLPEmailAccountMappingGetResponseAuthRequirementsObjectType = "Org"` - `type DLPEmailAccountMappingGetResponseAuthRequirementsType struct{…}` - `Type DLPEmailAccountMappingGetResponseAuthRequirementsTypeType` - `const DLPEmailAccountMappingGetResponseAuthRequirementsTypeTypeNoAuth DLPEmailAccountMappingGetResponseAuthRequirementsTypeType = "NoAuth"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) accountMapping, err := client.ZeroTrust.DLP.Email.AccountMapping.Get(context.TODO(), zero_trust.DLPEmailAccountMappingGetParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", accountMapping.AddinIdentifierToken) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "addin_identifier_token": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "auth_requirements": { "allowed_microsoft_organizations": [ "string" ], "type": "Org" } } } ``` ## Create mapping `client.ZeroTrust.DLP.Email.AccountMapping.New(ctx, params) (*DLPEmailAccountMappingNewResponse, error)` **post** `/accounts/{account_id}/dlp/email/account_mapping` Creates a mapping between a Cloudflare account and an email provider for DLP email scanning integration. ### Parameters - `params DLPEmailAccountMappingNewParams` - `AccountID param.Field[string]` Path param - `AuthRequirements param.Field[DLPEmailAccountMappingNewParamsAuthRequirements]` Body param - `type DLPEmailAccountMappingNewParamsAuthRequirementsObject struct{…}` - `AllowedMicrosoftOrganizations []string` - `Type DLPEmailAccountMappingNewParamsAuthRequirementsObjectType` - `const DLPEmailAccountMappingNewParamsAuthRequirementsObjectTypeOrg DLPEmailAccountMappingNewParamsAuthRequirementsObjectType = "Org"` - `type DLPEmailAccountMappingNewParamsAuthRequirementsType struct{…}` - `Type DLPEmailAccountMappingNewParamsAuthRequirementsTypeType` - `const DLPEmailAccountMappingNewParamsAuthRequirementsTypeTypeNoAuth DLPEmailAccountMappingNewParamsAuthRequirementsTypeType = "NoAuth"` ### Returns - `type DLPEmailAccountMappingNewResponse struct{…}` - `AddinIdentifierToken string` - `AuthRequirements DLPEmailAccountMappingNewResponseAuthRequirements` - `type DLPEmailAccountMappingNewResponseAuthRequirementsObject struct{…}` - `AllowedMicrosoftOrganizations []string` - `Type DLPEmailAccountMappingNewResponseAuthRequirementsObjectType` - `const DLPEmailAccountMappingNewResponseAuthRequirementsObjectTypeOrg DLPEmailAccountMappingNewResponseAuthRequirementsObjectType = "Org"` - `type DLPEmailAccountMappingNewResponseAuthRequirementsType struct{…}` - `Type DLPEmailAccountMappingNewResponseAuthRequirementsTypeType` - `const DLPEmailAccountMappingNewResponseAuthRequirementsTypeTypeNoAuth DLPEmailAccountMappingNewResponseAuthRequirementsTypeType = "NoAuth"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) accountMapping, err := client.ZeroTrust.DLP.Email.AccountMapping.New(context.TODO(), zero_trust.DLPEmailAccountMappingNewParams{ AccountID: cloudflare.F("account_id"), AuthRequirements: cloudflare.F[zero_trust.DLPEmailAccountMappingNewParamsAuthRequirementsUnion](zero_trust.DLPEmailAccountMappingNewParamsAuthRequirementsObject{ AllowedMicrosoftOrganizations: cloudflare.F([]string{"string"}), Type: cloudflare.F(zero_trust.DLPEmailAccountMappingNewParamsAuthRequirementsObjectTypeOrg), }), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", accountMapping.AddinIdentifierToken) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "addin_identifier_token": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "auth_requirements": { "allowed_microsoft_organizations": [ "string" ], "type": "Org" } } } ``` # Rules ## List all email scanner rules `client.ZeroTrust.DLP.Email.Rules.List(ctx, query) (*SinglePage[DLPEmailRuleListResponse], error)` **get** `/accounts/{account_id}/dlp/email/rules` Lists all email scanner rules for an account. ### Parameters - `query DLPEmailRuleListParams` - `AccountID param.Field[string]` ### Returns - `type DLPEmailRuleListResponse struct{…}` - `Action DLPEmailRuleListResponseAction` - `Action DLPEmailRuleListResponseActionAction` - `const DLPEmailRuleListResponseActionActionBlock DLPEmailRuleListResponseActionAction = "Block"` - `Message string` - `Conditions []DLPEmailRuleListResponseCondition` Triggered if all conditions match. - `Operator DLPEmailRuleListResponseConditionsOperator` - `const DLPEmailRuleListResponseConditionsOperatorInList DLPEmailRuleListResponseConditionsOperator = "InList"` - `const DLPEmailRuleListResponseConditionsOperatorNotInList DLPEmailRuleListResponseConditionsOperator = "NotInList"` - `const DLPEmailRuleListResponseConditionsOperatorMatchRegex DLPEmailRuleListResponseConditionsOperator = "MatchRegex"` - `const DLPEmailRuleListResponseConditionsOperatorNotMatchRegex DLPEmailRuleListResponseConditionsOperator = "NotMatchRegex"` - `Selector DLPEmailRuleListResponseConditionsSelector` - `const DLPEmailRuleListResponseConditionsSelectorRecipients DLPEmailRuleListResponseConditionsSelector = "Recipients"` - `const DLPEmailRuleListResponseConditionsSelectorSender DLPEmailRuleListResponseConditionsSelector = "Sender"` - `const DLPEmailRuleListResponseConditionsSelectorDLPProfiles DLPEmailRuleListResponseConditionsSelector = "DLPProfiles"` - `Value DLPEmailRuleListResponseConditionsValueUnion` - `type DLPEmailRuleListResponseConditionsValueArray []string` - `UnionString` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Priority int64` - `RuleID string` - `UpdatedAt Time` - `Description string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DLP.Email.Rules.List(context.TODO(), zero_trust.DLPEmailRuleListParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } ] } ``` ## Get an email scanner rule `client.ZeroTrust.DLP.Email.Rules.Get(ctx, ruleID, query) (*DLPEmailRuleGetResponse, error)` **get** `/accounts/{account_id}/dlp/email/rules/{rule_id}` Gets detailed configuration for a specific DLP email scanning rule, including detection patterns and actions. ### Parameters - `ruleID string` - `query DLPEmailRuleGetParams` - `AccountID param.Field[string]` ### Returns - `type DLPEmailRuleGetResponse struct{…}` - `Action DLPEmailRuleGetResponseAction` - `Action DLPEmailRuleGetResponseActionAction` - `const DLPEmailRuleGetResponseActionActionBlock DLPEmailRuleGetResponseActionAction = "Block"` - `Message string` - `Conditions []DLPEmailRuleGetResponseCondition` Triggered if all conditions match. - `Operator DLPEmailRuleGetResponseConditionsOperator` - `const DLPEmailRuleGetResponseConditionsOperatorInList DLPEmailRuleGetResponseConditionsOperator = "InList"` - `const DLPEmailRuleGetResponseConditionsOperatorNotInList DLPEmailRuleGetResponseConditionsOperator = "NotInList"` - `const DLPEmailRuleGetResponseConditionsOperatorMatchRegex DLPEmailRuleGetResponseConditionsOperator = "MatchRegex"` - `const DLPEmailRuleGetResponseConditionsOperatorNotMatchRegex DLPEmailRuleGetResponseConditionsOperator = "NotMatchRegex"` - `Selector DLPEmailRuleGetResponseConditionsSelector` - `const DLPEmailRuleGetResponseConditionsSelectorRecipients DLPEmailRuleGetResponseConditionsSelector = "Recipients"` - `const DLPEmailRuleGetResponseConditionsSelectorSender DLPEmailRuleGetResponseConditionsSelector = "Sender"` - `const DLPEmailRuleGetResponseConditionsSelectorDLPProfiles DLPEmailRuleGetResponseConditionsSelector = "DLPProfiles"` - `Value DLPEmailRuleGetResponseConditionsValueUnion` - `type DLPEmailRuleGetResponseConditionsValueArray []string` - `UnionString` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Priority int64` - `RuleID string` - `UpdatedAt Time` - `Description string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) rule, err := client.ZeroTrust.DLP.Email.Rules.Get( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEmailRuleGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", rule.RuleID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Create email scanner rule `client.ZeroTrust.DLP.Email.Rules.New(ctx, params) (*DLPEmailRuleNewResponse, error)` **post** `/accounts/{account_id}/dlp/email/rules` Creates a new DLP email scanning rule that defines what content patterns to detect in email messages and what actions to take. ### Parameters - `params DLPEmailRuleNewParams` - `AccountID param.Field[string]` Path param - `Action param.Field[DLPEmailRuleNewParamsAction]` Body param - `Action DLPEmailRuleNewParamsActionAction` - `const DLPEmailRuleNewParamsActionActionBlock DLPEmailRuleNewParamsActionAction = "Block"` - `Message string` - `Conditions param.Field[[]DLPEmailRuleNewParamsCondition]` Body param: Triggered if all conditions match. - `Operator DLPEmailRuleNewParamsConditionsOperator` - `const DLPEmailRuleNewParamsConditionsOperatorInList DLPEmailRuleNewParamsConditionsOperator = "InList"` - `const DLPEmailRuleNewParamsConditionsOperatorNotInList DLPEmailRuleNewParamsConditionsOperator = "NotInList"` - `const DLPEmailRuleNewParamsConditionsOperatorMatchRegex DLPEmailRuleNewParamsConditionsOperator = "MatchRegex"` - `const DLPEmailRuleNewParamsConditionsOperatorNotMatchRegex DLPEmailRuleNewParamsConditionsOperator = "NotMatchRegex"` - `Selector DLPEmailRuleNewParamsConditionsSelector` - `const DLPEmailRuleNewParamsConditionsSelectorRecipients DLPEmailRuleNewParamsConditionsSelector = "Recipients"` - `const DLPEmailRuleNewParamsConditionsSelectorSender DLPEmailRuleNewParamsConditionsSelector = "Sender"` - `const DLPEmailRuleNewParamsConditionsSelectorDLPProfiles DLPEmailRuleNewParamsConditionsSelector = "DLPProfiles"` - `Value DLPEmailRuleNewParamsConditionsValueUnion` - `type DLPEmailRuleNewParamsConditionsValueArray []string` - `UnionString` - `Enabled param.Field[bool]` Body param - `Name param.Field[string]` Body param - `Description param.Field[string]` Body param ### Returns - `type DLPEmailRuleNewResponse struct{…}` - `Action DLPEmailRuleNewResponseAction` - `Action DLPEmailRuleNewResponseActionAction` - `const DLPEmailRuleNewResponseActionActionBlock DLPEmailRuleNewResponseActionAction = "Block"` - `Message string` - `Conditions []DLPEmailRuleNewResponseCondition` Triggered if all conditions match. - `Operator DLPEmailRuleNewResponseConditionsOperator` - `const DLPEmailRuleNewResponseConditionsOperatorInList DLPEmailRuleNewResponseConditionsOperator = "InList"` - `const DLPEmailRuleNewResponseConditionsOperatorNotInList DLPEmailRuleNewResponseConditionsOperator = "NotInList"` - `const DLPEmailRuleNewResponseConditionsOperatorMatchRegex DLPEmailRuleNewResponseConditionsOperator = "MatchRegex"` - `const DLPEmailRuleNewResponseConditionsOperatorNotMatchRegex DLPEmailRuleNewResponseConditionsOperator = "NotMatchRegex"` - `Selector DLPEmailRuleNewResponseConditionsSelector` - `const DLPEmailRuleNewResponseConditionsSelectorRecipients DLPEmailRuleNewResponseConditionsSelector = "Recipients"` - `const DLPEmailRuleNewResponseConditionsSelectorSender DLPEmailRuleNewResponseConditionsSelector = "Sender"` - `const DLPEmailRuleNewResponseConditionsSelectorDLPProfiles DLPEmailRuleNewResponseConditionsSelector = "DLPProfiles"` - `Value DLPEmailRuleNewResponseConditionsValueUnion` - `type DLPEmailRuleNewResponseConditionsValueArray []string` - `UnionString` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Priority int64` - `RuleID string` - `UpdatedAt Time` - `Description string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) rule, err := client.ZeroTrust.DLP.Email.Rules.New(context.TODO(), zero_trust.DLPEmailRuleNewParams{ AccountID: cloudflare.F("account_id"), Action: cloudflare.F(zero_trust.DLPEmailRuleNewParamsAction{ Action: cloudflare.F(zero_trust.DLPEmailRuleNewParamsActionActionBlock), }), Conditions: cloudflare.F([]zero_trust.DLPEmailRuleNewParamsCondition{zero_trust.DLPEmailRuleNewParamsCondition{ Operator: cloudflare.F(zero_trust.DLPEmailRuleNewParamsConditionsOperatorInList), Selector: cloudflare.F(zero_trust.DLPEmailRuleNewParamsConditionsSelectorRecipients), Value: cloudflare.F[zero_trust.DLPEmailRuleNewParamsConditionsValueUnion](zero_trust.DLPEmailRuleNewParamsConditionsValueArray([]string{"string"})), }}), Enabled: cloudflare.F(true), Name: cloudflare.F("name"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", rule.RuleID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Update email scanner rule `client.ZeroTrust.DLP.Email.Rules.Update(ctx, ruleID, params) (*DLPEmailRuleUpdateResponse, error)` **put** `/accounts/{account_id}/dlp/email/rules/{rule_id}` Update email scanner rule ### Parameters - `ruleID string` - `params DLPEmailRuleUpdateParams` - `AccountID param.Field[string]` Path param - `Action param.Field[DLPEmailRuleUpdateParamsAction]` Body param - `Action DLPEmailRuleUpdateParamsActionAction` - `const DLPEmailRuleUpdateParamsActionActionBlock DLPEmailRuleUpdateParamsActionAction = "Block"` - `Message string` - `Conditions param.Field[[]DLPEmailRuleUpdateParamsCondition]` Body param: Triggered if all conditions match. - `Operator DLPEmailRuleUpdateParamsConditionsOperator` - `const DLPEmailRuleUpdateParamsConditionsOperatorInList DLPEmailRuleUpdateParamsConditionsOperator = "InList"` - `const DLPEmailRuleUpdateParamsConditionsOperatorNotInList DLPEmailRuleUpdateParamsConditionsOperator = "NotInList"` - `const DLPEmailRuleUpdateParamsConditionsOperatorMatchRegex DLPEmailRuleUpdateParamsConditionsOperator = "MatchRegex"` - `const DLPEmailRuleUpdateParamsConditionsOperatorNotMatchRegex DLPEmailRuleUpdateParamsConditionsOperator = "NotMatchRegex"` - `Selector DLPEmailRuleUpdateParamsConditionsSelector` - `const DLPEmailRuleUpdateParamsConditionsSelectorRecipients DLPEmailRuleUpdateParamsConditionsSelector = "Recipients"` - `const DLPEmailRuleUpdateParamsConditionsSelectorSender DLPEmailRuleUpdateParamsConditionsSelector = "Sender"` - `const DLPEmailRuleUpdateParamsConditionsSelectorDLPProfiles DLPEmailRuleUpdateParamsConditionsSelector = "DLPProfiles"` - `Value DLPEmailRuleUpdateParamsConditionsValueUnion` - `type DLPEmailRuleUpdateParamsConditionsValueArray []string` - `UnionString` - `Enabled param.Field[bool]` Body param - `Name param.Field[string]` Body param - `Description param.Field[string]` Body param ### Returns - `type DLPEmailRuleUpdateResponse struct{…}` - `Action DLPEmailRuleUpdateResponseAction` - `Action DLPEmailRuleUpdateResponseActionAction` - `const DLPEmailRuleUpdateResponseActionActionBlock DLPEmailRuleUpdateResponseActionAction = "Block"` - `Message string` - `Conditions []DLPEmailRuleUpdateResponseCondition` Triggered if all conditions match. - `Operator DLPEmailRuleUpdateResponseConditionsOperator` - `const DLPEmailRuleUpdateResponseConditionsOperatorInList DLPEmailRuleUpdateResponseConditionsOperator = "InList"` - `const DLPEmailRuleUpdateResponseConditionsOperatorNotInList DLPEmailRuleUpdateResponseConditionsOperator = "NotInList"` - `const DLPEmailRuleUpdateResponseConditionsOperatorMatchRegex DLPEmailRuleUpdateResponseConditionsOperator = "MatchRegex"` - `const DLPEmailRuleUpdateResponseConditionsOperatorNotMatchRegex DLPEmailRuleUpdateResponseConditionsOperator = "NotMatchRegex"` - `Selector DLPEmailRuleUpdateResponseConditionsSelector` - `const DLPEmailRuleUpdateResponseConditionsSelectorRecipients DLPEmailRuleUpdateResponseConditionsSelector = "Recipients"` - `const DLPEmailRuleUpdateResponseConditionsSelectorSender DLPEmailRuleUpdateResponseConditionsSelector = "Sender"` - `const DLPEmailRuleUpdateResponseConditionsSelectorDLPProfiles DLPEmailRuleUpdateResponseConditionsSelector = "DLPProfiles"` - `Value DLPEmailRuleUpdateResponseConditionsValueUnion` - `type DLPEmailRuleUpdateResponseConditionsValueArray []string` - `UnionString` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Priority int64` - `RuleID string` - `UpdatedAt Time` - `Description string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) rule, err := client.ZeroTrust.DLP.Email.Rules.Update( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEmailRuleUpdateParams{ AccountID: cloudflare.F("account_id"), Action: cloudflare.F(zero_trust.DLPEmailRuleUpdateParamsAction{ Action: cloudflare.F(zero_trust.DLPEmailRuleUpdateParamsActionActionBlock), }), Conditions: cloudflare.F([]zero_trust.DLPEmailRuleUpdateParamsCondition{zero_trust.DLPEmailRuleUpdateParamsCondition{ Operator: cloudflare.F(zero_trust.DLPEmailRuleUpdateParamsConditionsOperatorInList), Selector: cloudflare.F(zero_trust.DLPEmailRuleUpdateParamsConditionsSelectorRecipients), Value: cloudflare.F[zero_trust.DLPEmailRuleUpdateParamsConditionsValueUnion](zero_trust.DLPEmailRuleUpdateParamsConditionsValueArray([]string{"string"})), }}), Enabled: cloudflare.F(true), Name: cloudflare.F("name"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", rule.RuleID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Delete email scanner rule `client.ZeroTrust.DLP.Email.Rules.Delete(ctx, ruleID, body) (*DLPEmailRuleDeleteResponse, error)` **delete** `/accounts/{account_id}/dlp/email/rules/{rule_id}` Removes a DLP email scanning rule. The rule will no longer be applied to email messages. ### Parameters - `ruleID string` - `body DLPEmailRuleDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DLPEmailRuleDeleteResponse struct{…}` - `Action DLPEmailRuleDeleteResponseAction` - `Action DLPEmailRuleDeleteResponseActionAction` - `const DLPEmailRuleDeleteResponseActionActionBlock DLPEmailRuleDeleteResponseActionAction = "Block"` - `Message string` - `Conditions []DLPEmailRuleDeleteResponseCondition` Triggered if all conditions match. - `Operator DLPEmailRuleDeleteResponseConditionsOperator` - `const DLPEmailRuleDeleteResponseConditionsOperatorInList DLPEmailRuleDeleteResponseConditionsOperator = "InList"` - `const DLPEmailRuleDeleteResponseConditionsOperatorNotInList DLPEmailRuleDeleteResponseConditionsOperator = "NotInList"` - `const DLPEmailRuleDeleteResponseConditionsOperatorMatchRegex DLPEmailRuleDeleteResponseConditionsOperator = "MatchRegex"` - `const DLPEmailRuleDeleteResponseConditionsOperatorNotMatchRegex DLPEmailRuleDeleteResponseConditionsOperator = "NotMatchRegex"` - `Selector DLPEmailRuleDeleteResponseConditionsSelector` - `const DLPEmailRuleDeleteResponseConditionsSelectorRecipients DLPEmailRuleDeleteResponseConditionsSelector = "Recipients"` - `const DLPEmailRuleDeleteResponseConditionsSelectorSender DLPEmailRuleDeleteResponseConditionsSelector = "Sender"` - `const DLPEmailRuleDeleteResponseConditionsSelectorDLPProfiles DLPEmailRuleDeleteResponseConditionsSelector = "DLPProfiles"` - `Value DLPEmailRuleDeleteResponseConditionsValueUnion` - `type DLPEmailRuleDeleteResponseConditionsValueArray []string` - `UnionString` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Priority int64` - `RuleID string` - `UpdatedAt Time` - `Description string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) rule, err := client.ZeroTrust.DLP.Email.Rules.Delete( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEmailRuleDeleteParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", rule.RuleID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Update email scanner rule priorities `client.ZeroTrust.DLP.Email.Rules.BulkEdit(ctx, params) (*DLPEmailRuleBulkEditResponse, error)` **patch** `/accounts/{account_id}/dlp/email/rules` Reorders DLP email scanning rules by updating their priority values. Higher priority rules are evaluated first. ### Parameters - `params DLPEmailRuleBulkEditParams` - `AccountID param.Field[string]` Path param - `NewPriorities param.Field[map[string, int64]]` Body param ### Returns - `type DLPEmailRuleBulkEditResponse struct{…}` - `Action DLPEmailRuleBulkEditResponseAction` - `Action DLPEmailRuleBulkEditResponseActionAction` - `const DLPEmailRuleBulkEditResponseActionActionBlock DLPEmailRuleBulkEditResponseActionAction = "Block"` - `Message string` - `Conditions []DLPEmailRuleBulkEditResponseCondition` Triggered if all conditions match. - `Operator DLPEmailRuleBulkEditResponseConditionsOperator` - `const DLPEmailRuleBulkEditResponseConditionsOperatorInList DLPEmailRuleBulkEditResponseConditionsOperator = "InList"` - `const DLPEmailRuleBulkEditResponseConditionsOperatorNotInList DLPEmailRuleBulkEditResponseConditionsOperator = "NotInList"` - `const DLPEmailRuleBulkEditResponseConditionsOperatorMatchRegex DLPEmailRuleBulkEditResponseConditionsOperator = "MatchRegex"` - `const DLPEmailRuleBulkEditResponseConditionsOperatorNotMatchRegex DLPEmailRuleBulkEditResponseConditionsOperator = "NotMatchRegex"` - `Selector DLPEmailRuleBulkEditResponseConditionsSelector` - `const DLPEmailRuleBulkEditResponseConditionsSelectorRecipients DLPEmailRuleBulkEditResponseConditionsSelector = "Recipients"` - `const DLPEmailRuleBulkEditResponseConditionsSelectorSender DLPEmailRuleBulkEditResponseConditionsSelector = "Sender"` - `const DLPEmailRuleBulkEditResponseConditionsSelectorDLPProfiles DLPEmailRuleBulkEditResponseConditionsSelector = "DLPProfiles"` - `Value DLPEmailRuleBulkEditResponseConditionsValueUnion` - `type DLPEmailRuleBulkEditResponseConditionsValueArray []string` - `UnionString` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Priority int64` - `RuleID string` - `UpdatedAt Time` - `Description string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.DLP.Email.Rules.BulkEdit(context.TODO(), zero_trust.DLPEmailRuleBulkEditParams{ AccountID: cloudflare.F("account_id"), NewPriorities: cloudflare.F(map[string]int64{ "foo": int64(0), }), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.RuleID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` # Profiles ## List all profiles `client.ZeroTrust.DLP.Profiles.List(ctx, params) (*SinglePage[Profile], error)` **get** `/accounts/{account_id}/dlp/profiles` Lists all DLP profiles in an account. ### Parameters - `params DLPProfileListParams` - `AccountID param.Field[string]` Path param - `All param.Field[bool]` Query param: Return all profiles, including those that current account does not have access to. ### Returns - `type Profile interface{…}` - `type ProfileCustomProfile struct{…}` - `ID string` The id of the profile (uuid). - `AllowedMatchCount int64` Related DLP policies will trigger when the match count exceeds the number set. - `CreatedAt Time` When the profile was created. - `Name string` The name of the profile. - `OCREnabled bool` - `Type ProfileCustomProfileType` - `const ProfileCustomProfileTypeCustom ProfileCustomProfileType = "custom"` - `UpdatedAt Time` When the profile was lasted updated. - `AIContextEnabled bool` - `ConfidenceThreshold ProfileCustomProfileConfidenceThreshold` - `const ProfileCustomProfileConfidenceThresholdLow ProfileCustomProfileConfidenceThreshold = "low"` - `const ProfileCustomProfileConfidenceThresholdMedium ProfileCustomProfileConfidenceThreshold = "medium"` - `const ProfileCustomProfileConfidenceThresholdHigh ProfileCustomProfileConfidenceThreshold = "high"` - `const ProfileCustomProfileConfidenceThresholdVeryHigh ProfileCustomProfileConfidenceThreshold = "very_high"` - `ContextAwareness ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `Enabled bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `Skip SkipConfiguration` Content types to exclude from context analysis and return all matches. - `Files bool` If the content type is a file, skip context analysis and return all matches. - `DataClasses []string` Data classes associated with this profile. - `DataTags []string` Data tags associated with this profile. - `Description string` The description of the profile. - `Entries []ProfileCustomProfileEntry` - `type ProfileCustomProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type ProfileCustomProfileEntriesCustomEntryType` - `const ProfileCustomProfileEntriesCustomEntryTypeCustom ProfileCustomProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileCustomProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileCustomProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesPredefinedEntryType` - `const ProfileCustomProfileEntriesPredefinedEntryTypePredefined ProfileCustomProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileCustomProfileEntriesPredefinedEntryVariant` - `TopicType ProfileCustomProfileEntriesPredefinedEntryVariantTopicType` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileCustomProfileEntriesPredefinedEntryVariantType` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTypePromptTopic ProfileCustomProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileCustomProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesIntegrationEntryType` - `const ProfileCustomProfileEntriesIntegrationEntryTypeIntegration ProfileCustomProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileCustomProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileCustomProfileEntriesExactDataEntryType` - `const ProfileCustomProfileEntriesExactDataEntryTypeExactData ProfileCustomProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileCustomProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesDocumentFingerprintEntryType` - `const ProfileCustomProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileCustomProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileCustomProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesWordListEntryType` - `const ProfileCustomProfileEntriesWordListEntryTypeWordList ProfileCustomProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `SensitivityLevels [][]string` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `SharedEntries []ProfileCustomProfileSharedEntry` - `type ProfileCustomProfileSharedEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileCustomProfileSharedEntriesCustomEntryType` - `const ProfileCustomProfileSharedEntriesCustomEntryTypeCustom ProfileCustomProfileSharedEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileCustomProfileSharedEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileCustomProfileSharedEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesPredefinedEntryType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryTypePredefined ProfileCustomProfileSharedEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileCustomProfileSharedEntriesPredefinedEntryVariant` - `TopicType ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileCustomProfileSharedEntriesPredefinedEntryVariantType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTypePromptTopic ProfileCustomProfileSharedEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileCustomProfileSharedEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesIntegrationEntryType` - `const ProfileCustomProfileSharedEntriesIntegrationEntryTypeIntegration ProfileCustomProfileSharedEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileCustomProfileSharedEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileCustomProfileSharedEntriesExactDataEntryType` - `const ProfileCustomProfileSharedEntriesExactDataEntryTypeExactData ProfileCustomProfileSharedEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileCustomProfileSharedEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesDocumentFingerprintEntryType` - `const ProfileCustomProfileSharedEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileCustomProfileSharedEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileCustomProfileSharedEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesWordListEntryType` - `const ProfileCustomProfileSharedEntriesWordListEntryTypeWordList ProfileCustomProfileSharedEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `type ProfilePredefinedProfile struct{…}` - `ID string` The id of the predefined profile (uuid). - `AllowedMatchCount int64` - `Entries []ProfilePredefinedProfileEntry` - `type ProfilePredefinedProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfilePredefinedProfileEntriesCustomEntryType` - `const ProfilePredefinedProfileEntriesCustomEntryTypeCustom ProfilePredefinedProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfilePredefinedProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfilePredefinedProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesPredefinedEntryType` - `const ProfilePredefinedProfileEntriesPredefinedEntryTypePredefined ProfilePredefinedProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfilePredefinedProfileEntriesPredefinedEntryVariant` - `TopicType ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeContent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfilePredefinedProfileEntriesPredefinedEntryVariantType` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTypePromptTopic ProfilePredefinedProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfilePredefinedProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesIntegrationEntryType` - `const ProfilePredefinedProfileEntriesIntegrationEntryTypeIntegration ProfilePredefinedProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfilePredefinedProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfilePredefinedProfileEntriesExactDataEntryType` - `const ProfilePredefinedProfileEntriesExactDataEntryTypeExactData ProfilePredefinedProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfilePredefinedProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesDocumentFingerprintEntryType` - `const ProfilePredefinedProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfilePredefinedProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfilePredefinedProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesWordListEntryType` - `const ProfilePredefinedProfileEntriesWordListEntryTypeWordList ProfilePredefinedProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` The name of the predefined profile. - `Type ProfilePredefinedProfileType` - `const ProfilePredefinedProfileTypePredefined ProfilePredefinedProfileType = "predefined"` - `AIContextEnabled bool` - `ConfidenceThreshold ProfilePredefinedProfileConfidenceThreshold` - `const ProfilePredefinedProfileConfidenceThresholdLow ProfilePredefinedProfileConfidenceThreshold = "low"` - `const ProfilePredefinedProfileConfidenceThresholdMedium ProfilePredefinedProfileConfidenceThreshold = "medium"` - `const ProfilePredefinedProfileConfidenceThresholdHigh ProfilePredefinedProfileConfidenceThreshold = "high"` - `const ProfilePredefinedProfileConfidenceThresholdVeryHigh ProfilePredefinedProfileConfidenceThreshold = "very_high"` - `ContextAwareness ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `OCREnabled bool` - `OpenAccess bool` Whether this profile can be accessed by anyone. - `type ProfileIntegrationProfile struct{…}` - `ID string` - `CreatedAt Time` - `Entries []ProfileIntegrationProfileEntry` - `type ProfileIntegrationProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileIntegrationProfileEntriesCustomEntryType` - `const ProfileIntegrationProfileEntriesCustomEntryTypeCustom ProfileIntegrationProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileIntegrationProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileIntegrationProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesPredefinedEntryType` - `const ProfileIntegrationProfileEntriesPredefinedEntryTypePredefined ProfileIntegrationProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileIntegrationProfileEntriesPredefinedEntryVariant` - `TopicType ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileIntegrationProfileEntriesPredefinedEntryVariantType` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTypePromptTopic ProfileIntegrationProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileIntegrationProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesIntegrationEntryType` - `const ProfileIntegrationProfileEntriesIntegrationEntryTypeIntegration ProfileIntegrationProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileIntegrationProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileIntegrationProfileEntriesExactDataEntryType` - `const ProfileIntegrationProfileEntriesExactDataEntryTypeExactData ProfileIntegrationProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileIntegrationProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesDocumentFingerprintEntryType` - `const ProfileIntegrationProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileIntegrationProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileIntegrationProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesWordListEntryType` - `const ProfileIntegrationProfileEntriesWordListEntryTypeWordList ProfileIntegrationProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` - `SharedEntries []ProfileIntegrationProfileSharedEntry` - `type ProfileIntegrationProfileSharedEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileIntegrationProfileSharedEntriesCustomEntryType` - `const ProfileIntegrationProfileSharedEntriesCustomEntryTypeCustom ProfileIntegrationProfileSharedEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileIntegrationProfileSharedEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileIntegrationProfileSharedEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesPredefinedEntryType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryTypePredefined ProfileIntegrationProfileSharedEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileIntegrationProfileSharedEntriesPredefinedEntryVariant` - `TopicType ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTypePromptTopic ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileIntegrationProfileSharedEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesIntegrationEntryType` - `const ProfileIntegrationProfileSharedEntriesIntegrationEntryTypeIntegration ProfileIntegrationProfileSharedEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileIntegrationProfileSharedEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileIntegrationProfileSharedEntriesExactDataEntryType` - `const ProfileIntegrationProfileSharedEntriesExactDataEntryTypeExactData ProfileIntegrationProfileSharedEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryType` - `const ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileIntegrationProfileSharedEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesWordListEntryType` - `const ProfileIntegrationProfileSharedEntriesWordListEntryTypeWordList ProfileIntegrationProfileSharedEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Type ProfileIntegrationProfileType` - `const ProfileIntegrationProfileTypeIntegration ProfileIntegrationProfileType = "integration"` - `UpdatedAt Time` - `Description string` The description of the profile. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DLP.Profiles.List(context.TODO(), zero_trust.DLPProfileListParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } ] } ``` ## Get DLP Profile `client.ZeroTrust.DLP.Profiles.Get(ctx, profileID, query) (*Profile, error)` **get** `/accounts/{account_id}/dlp/profiles/{profile_id}` Fetches a DLP profile by ID. ### Parameters - `profileID string` - `query DLPProfileGetParams` - `AccountID param.Field[string]` ### Returns - `type Profile interface{…}` - `type ProfileCustomProfile struct{…}` - `ID string` The id of the profile (uuid). - `AllowedMatchCount int64` Related DLP policies will trigger when the match count exceeds the number set. - `CreatedAt Time` When the profile was created. - `Name string` The name of the profile. - `OCREnabled bool` - `Type ProfileCustomProfileType` - `const ProfileCustomProfileTypeCustom ProfileCustomProfileType = "custom"` - `UpdatedAt Time` When the profile was lasted updated. - `AIContextEnabled bool` - `ConfidenceThreshold ProfileCustomProfileConfidenceThreshold` - `const ProfileCustomProfileConfidenceThresholdLow ProfileCustomProfileConfidenceThreshold = "low"` - `const ProfileCustomProfileConfidenceThresholdMedium ProfileCustomProfileConfidenceThreshold = "medium"` - `const ProfileCustomProfileConfidenceThresholdHigh ProfileCustomProfileConfidenceThreshold = "high"` - `const ProfileCustomProfileConfidenceThresholdVeryHigh ProfileCustomProfileConfidenceThreshold = "very_high"` - `ContextAwareness ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `Enabled bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `Skip SkipConfiguration` Content types to exclude from context analysis and return all matches. - `Files bool` If the content type is a file, skip context analysis and return all matches. - `DataClasses []string` Data classes associated with this profile. - `DataTags []string` Data tags associated with this profile. - `Description string` The description of the profile. - `Entries []ProfileCustomProfileEntry` - `type ProfileCustomProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type ProfileCustomProfileEntriesCustomEntryType` - `const ProfileCustomProfileEntriesCustomEntryTypeCustom ProfileCustomProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileCustomProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileCustomProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesPredefinedEntryType` - `const ProfileCustomProfileEntriesPredefinedEntryTypePredefined ProfileCustomProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileCustomProfileEntriesPredefinedEntryVariant` - `TopicType ProfileCustomProfileEntriesPredefinedEntryVariantTopicType` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileCustomProfileEntriesPredefinedEntryVariantType` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTypePromptTopic ProfileCustomProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileCustomProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesIntegrationEntryType` - `const ProfileCustomProfileEntriesIntegrationEntryTypeIntegration ProfileCustomProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileCustomProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileCustomProfileEntriesExactDataEntryType` - `const ProfileCustomProfileEntriesExactDataEntryTypeExactData ProfileCustomProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileCustomProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesDocumentFingerprintEntryType` - `const ProfileCustomProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileCustomProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileCustomProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesWordListEntryType` - `const ProfileCustomProfileEntriesWordListEntryTypeWordList ProfileCustomProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `SensitivityLevels [][]string` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `SharedEntries []ProfileCustomProfileSharedEntry` - `type ProfileCustomProfileSharedEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileCustomProfileSharedEntriesCustomEntryType` - `const ProfileCustomProfileSharedEntriesCustomEntryTypeCustom ProfileCustomProfileSharedEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileCustomProfileSharedEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileCustomProfileSharedEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesPredefinedEntryType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryTypePredefined ProfileCustomProfileSharedEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileCustomProfileSharedEntriesPredefinedEntryVariant` - `TopicType ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileCustomProfileSharedEntriesPredefinedEntryVariantType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTypePromptTopic ProfileCustomProfileSharedEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileCustomProfileSharedEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesIntegrationEntryType` - `const ProfileCustomProfileSharedEntriesIntegrationEntryTypeIntegration ProfileCustomProfileSharedEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileCustomProfileSharedEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileCustomProfileSharedEntriesExactDataEntryType` - `const ProfileCustomProfileSharedEntriesExactDataEntryTypeExactData ProfileCustomProfileSharedEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileCustomProfileSharedEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesDocumentFingerprintEntryType` - `const ProfileCustomProfileSharedEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileCustomProfileSharedEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileCustomProfileSharedEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesWordListEntryType` - `const ProfileCustomProfileSharedEntriesWordListEntryTypeWordList ProfileCustomProfileSharedEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `type ProfilePredefinedProfile struct{…}` - `ID string` The id of the predefined profile (uuid). - `AllowedMatchCount int64` - `Entries []ProfilePredefinedProfileEntry` - `type ProfilePredefinedProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfilePredefinedProfileEntriesCustomEntryType` - `const ProfilePredefinedProfileEntriesCustomEntryTypeCustom ProfilePredefinedProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfilePredefinedProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfilePredefinedProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesPredefinedEntryType` - `const ProfilePredefinedProfileEntriesPredefinedEntryTypePredefined ProfilePredefinedProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfilePredefinedProfileEntriesPredefinedEntryVariant` - `TopicType ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeContent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfilePredefinedProfileEntriesPredefinedEntryVariantType` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTypePromptTopic ProfilePredefinedProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfilePredefinedProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesIntegrationEntryType` - `const ProfilePredefinedProfileEntriesIntegrationEntryTypeIntegration ProfilePredefinedProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfilePredefinedProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfilePredefinedProfileEntriesExactDataEntryType` - `const ProfilePredefinedProfileEntriesExactDataEntryTypeExactData ProfilePredefinedProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfilePredefinedProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesDocumentFingerprintEntryType` - `const ProfilePredefinedProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfilePredefinedProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfilePredefinedProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesWordListEntryType` - `const ProfilePredefinedProfileEntriesWordListEntryTypeWordList ProfilePredefinedProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` The name of the predefined profile. - `Type ProfilePredefinedProfileType` - `const ProfilePredefinedProfileTypePredefined ProfilePredefinedProfileType = "predefined"` - `AIContextEnabled bool` - `ConfidenceThreshold ProfilePredefinedProfileConfidenceThreshold` - `const ProfilePredefinedProfileConfidenceThresholdLow ProfilePredefinedProfileConfidenceThreshold = "low"` - `const ProfilePredefinedProfileConfidenceThresholdMedium ProfilePredefinedProfileConfidenceThreshold = "medium"` - `const ProfilePredefinedProfileConfidenceThresholdHigh ProfilePredefinedProfileConfidenceThreshold = "high"` - `const ProfilePredefinedProfileConfidenceThresholdVeryHigh ProfilePredefinedProfileConfidenceThreshold = "very_high"` - `ContextAwareness ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `OCREnabled bool` - `OpenAccess bool` Whether this profile can be accessed by anyone. - `type ProfileIntegrationProfile struct{…}` - `ID string` - `CreatedAt Time` - `Entries []ProfileIntegrationProfileEntry` - `type ProfileIntegrationProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileIntegrationProfileEntriesCustomEntryType` - `const ProfileIntegrationProfileEntriesCustomEntryTypeCustom ProfileIntegrationProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileIntegrationProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileIntegrationProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesPredefinedEntryType` - `const ProfileIntegrationProfileEntriesPredefinedEntryTypePredefined ProfileIntegrationProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileIntegrationProfileEntriesPredefinedEntryVariant` - `TopicType ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileIntegrationProfileEntriesPredefinedEntryVariantType` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTypePromptTopic ProfileIntegrationProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileIntegrationProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesIntegrationEntryType` - `const ProfileIntegrationProfileEntriesIntegrationEntryTypeIntegration ProfileIntegrationProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileIntegrationProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileIntegrationProfileEntriesExactDataEntryType` - `const ProfileIntegrationProfileEntriesExactDataEntryTypeExactData ProfileIntegrationProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileIntegrationProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesDocumentFingerprintEntryType` - `const ProfileIntegrationProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileIntegrationProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileIntegrationProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesWordListEntryType` - `const ProfileIntegrationProfileEntriesWordListEntryTypeWordList ProfileIntegrationProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` - `SharedEntries []ProfileIntegrationProfileSharedEntry` - `type ProfileIntegrationProfileSharedEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileIntegrationProfileSharedEntriesCustomEntryType` - `const ProfileIntegrationProfileSharedEntriesCustomEntryTypeCustom ProfileIntegrationProfileSharedEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileIntegrationProfileSharedEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileIntegrationProfileSharedEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesPredefinedEntryType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryTypePredefined ProfileIntegrationProfileSharedEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileIntegrationProfileSharedEntriesPredefinedEntryVariant` - `TopicType ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTypePromptTopic ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileIntegrationProfileSharedEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesIntegrationEntryType` - `const ProfileIntegrationProfileSharedEntriesIntegrationEntryTypeIntegration ProfileIntegrationProfileSharedEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileIntegrationProfileSharedEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileIntegrationProfileSharedEntriesExactDataEntryType` - `const ProfileIntegrationProfileSharedEntriesExactDataEntryTypeExactData ProfileIntegrationProfileSharedEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryType` - `const ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileIntegrationProfileSharedEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesWordListEntryType` - `const ProfileIntegrationProfileSharedEntriesWordListEntryTypeWordList ProfileIntegrationProfileSharedEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Type ProfileIntegrationProfileType` - `const ProfileIntegrationProfileTypeIntegration ProfileIntegrationProfileType = "integration"` - `UpdatedAt Time` - `Description string` The description of the profile. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) profile, err := client.ZeroTrust.DLP.Profiles.Get( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPProfileGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", profile) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Domain Types ### Context Awareness - `type ContextAwareness struct{…}` Scan the context of predefined entries to only return matches surrounded by keywords. - `Enabled bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `Skip SkipConfiguration` Content types to exclude from context analysis and return all matches. - `Files bool` If the content type is a file, skip context analysis and return all matches. ### Profile - `type Profile interface{…}` - `type ProfileCustomProfile struct{…}` - `ID string` The id of the profile (uuid). - `AllowedMatchCount int64` Related DLP policies will trigger when the match count exceeds the number set. - `CreatedAt Time` When the profile was created. - `Name string` The name of the profile. - `OCREnabled bool` - `Type ProfileCustomProfileType` - `const ProfileCustomProfileTypeCustom ProfileCustomProfileType = "custom"` - `UpdatedAt Time` When the profile was lasted updated. - `AIContextEnabled bool` - `ConfidenceThreshold ProfileCustomProfileConfidenceThreshold` - `const ProfileCustomProfileConfidenceThresholdLow ProfileCustomProfileConfidenceThreshold = "low"` - `const ProfileCustomProfileConfidenceThresholdMedium ProfileCustomProfileConfidenceThreshold = "medium"` - `const ProfileCustomProfileConfidenceThresholdHigh ProfileCustomProfileConfidenceThreshold = "high"` - `const ProfileCustomProfileConfidenceThresholdVeryHigh ProfileCustomProfileConfidenceThreshold = "very_high"` - `ContextAwareness ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `Enabled bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `Skip SkipConfiguration` Content types to exclude from context analysis and return all matches. - `Files bool` If the content type is a file, skip context analysis and return all matches. - `DataClasses []string` Data classes associated with this profile. - `DataTags []string` Data tags associated with this profile. - `Description string` The description of the profile. - `Entries []ProfileCustomProfileEntry` - `type ProfileCustomProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type ProfileCustomProfileEntriesCustomEntryType` - `const ProfileCustomProfileEntriesCustomEntryTypeCustom ProfileCustomProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileCustomProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileCustomProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesPredefinedEntryType` - `const ProfileCustomProfileEntriesPredefinedEntryTypePredefined ProfileCustomProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileCustomProfileEntriesPredefinedEntryVariant` - `TopicType ProfileCustomProfileEntriesPredefinedEntryVariantTopicType` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileCustomProfileEntriesPredefinedEntryVariantType` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTypePromptTopic ProfileCustomProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileCustomProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesIntegrationEntryType` - `const ProfileCustomProfileEntriesIntegrationEntryTypeIntegration ProfileCustomProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileCustomProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileCustomProfileEntriesExactDataEntryType` - `const ProfileCustomProfileEntriesExactDataEntryTypeExactData ProfileCustomProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileCustomProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesDocumentFingerprintEntryType` - `const ProfileCustomProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileCustomProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileCustomProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesWordListEntryType` - `const ProfileCustomProfileEntriesWordListEntryTypeWordList ProfileCustomProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `SensitivityLevels [][]string` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `SharedEntries []ProfileCustomProfileSharedEntry` - `type ProfileCustomProfileSharedEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileCustomProfileSharedEntriesCustomEntryType` - `const ProfileCustomProfileSharedEntriesCustomEntryTypeCustom ProfileCustomProfileSharedEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileCustomProfileSharedEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileCustomProfileSharedEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesPredefinedEntryType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryTypePredefined ProfileCustomProfileSharedEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileCustomProfileSharedEntriesPredefinedEntryVariant` - `TopicType ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileCustomProfileSharedEntriesPredefinedEntryVariantType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTypePromptTopic ProfileCustomProfileSharedEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileCustomProfileSharedEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesIntegrationEntryType` - `const ProfileCustomProfileSharedEntriesIntegrationEntryTypeIntegration ProfileCustomProfileSharedEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileCustomProfileSharedEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileCustomProfileSharedEntriesExactDataEntryType` - `const ProfileCustomProfileSharedEntriesExactDataEntryTypeExactData ProfileCustomProfileSharedEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileCustomProfileSharedEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesDocumentFingerprintEntryType` - `const ProfileCustomProfileSharedEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileCustomProfileSharedEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileCustomProfileSharedEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesWordListEntryType` - `const ProfileCustomProfileSharedEntriesWordListEntryTypeWordList ProfileCustomProfileSharedEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `type ProfilePredefinedProfile struct{…}` - `ID string` The id of the predefined profile (uuid). - `AllowedMatchCount int64` - `Entries []ProfilePredefinedProfileEntry` - `type ProfilePredefinedProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfilePredefinedProfileEntriesCustomEntryType` - `const ProfilePredefinedProfileEntriesCustomEntryTypeCustom ProfilePredefinedProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfilePredefinedProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfilePredefinedProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesPredefinedEntryType` - `const ProfilePredefinedProfileEntriesPredefinedEntryTypePredefined ProfilePredefinedProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfilePredefinedProfileEntriesPredefinedEntryVariant` - `TopicType ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeContent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfilePredefinedProfileEntriesPredefinedEntryVariantType` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTypePromptTopic ProfilePredefinedProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfilePredefinedProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesIntegrationEntryType` - `const ProfilePredefinedProfileEntriesIntegrationEntryTypeIntegration ProfilePredefinedProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfilePredefinedProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfilePredefinedProfileEntriesExactDataEntryType` - `const ProfilePredefinedProfileEntriesExactDataEntryTypeExactData ProfilePredefinedProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfilePredefinedProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesDocumentFingerprintEntryType` - `const ProfilePredefinedProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfilePredefinedProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfilePredefinedProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesWordListEntryType` - `const ProfilePredefinedProfileEntriesWordListEntryTypeWordList ProfilePredefinedProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` The name of the predefined profile. - `Type ProfilePredefinedProfileType` - `const ProfilePredefinedProfileTypePredefined ProfilePredefinedProfileType = "predefined"` - `AIContextEnabled bool` - `ConfidenceThreshold ProfilePredefinedProfileConfidenceThreshold` - `const ProfilePredefinedProfileConfidenceThresholdLow ProfilePredefinedProfileConfidenceThreshold = "low"` - `const ProfilePredefinedProfileConfidenceThresholdMedium ProfilePredefinedProfileConfidenceThreshold = "medium"` - `const ProfilePredefinedProfileConfidenceThresholdHigh ProfilePredefinedProfileConfidenceThreshold = "high"` - `const ProfilePredefinedProfileConfidenceThresholdVeryHigh ProfilePredefinedProfileConfidenceThreshold = "very_high"` - `ContextAwareness ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `OCREnabled bool` - `OpenAccess bool` Whether this profile can be accessed by anyone. - `type ProfileIntegrationProfile struct{…}` - `ID string` - `CreatedAt Time` - `Entries []ProfileIntegrationProfileEntry` - `type ProfileIntegrationProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileIntegrationProfileEntriesCustomEntryType` - `const ProfileIntegrationProfileEntriesCustomEntryTypeCustom ProfileIntegrationProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileIntegrationProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileIntegrationProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesPredefinedEntryType` - `const ProfileIntegrationProfileEntriesPredefinedEntryTypePredefined ProfileIntegrationProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileIntegrationProfileEntriesPredefinedEntryVariant` - `TopicType ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileIntegrationProfileEntriesPredefinedEntryVariantType` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTypePromptTopic ProfileIntegrationProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileIntegrationProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesIntegrationEntryType` - `const ProfileIntegrationProfileEntriesIntegrationEntryTypeIntegration ProfileIntegrationProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileIntegrationProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileIntegrationProfileEntriesExactDataEntryType` - `const ProfileIntegrationProfileEntriesExactDataEntryTypeExactData ProfileIntegrationProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileIntegrationProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesDocumentFingerprintEntryType` - `const ProfileIntegrationProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileIntegrationProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileIntegrationProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesWordListEntryType` - `const ProfileIntegrationProfileEntriesWordListEntryTypeWordList ProfileIntegrationProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` - `SharedEntries []ProfileIntegrationProfileSharedEntry` - `type ProfileIntegrationProfileSharedEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileIntegrationProfileSharedEntriesCustomEntryType` - `const ProfileIntegrationProfileSharedEntriesCustomEntryTypeCustom ProfileIntegrationProfileSharedEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileIntegrationProfileSharedEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileIntegrationProfileSharedEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesPredefinedEntryType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryTypePredefined ProfileIntegrationProfileSharedEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileIntegrationProfileSharedEntriesPredefinedEntryVariant` - `TopicType ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTypePromptTopic ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileIntegrationProfileSharedEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesIntegrationEntryType` - `const ProfileIntegrationProfileSharedEntriesIntegrationEntryTypeIntegration ProfileIntegrationProfileSharedEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileIntegrationProfileSharedEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileIntegrationProfileSharedEntriesExactDataEntryType` - `const ProfileIntegrationProfileSharedEntriesExactDataEntryTypeExactData ProfileIntegrationProfileSharedEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryType` - `const ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileIntegrationProfileSharedEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesWordListEntryType` - `const ProfileIntegrationProfileSharedEntriesWordListEntryTypeWordList ProfileIntegrationProfileSharedEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Type ProfileIntegrationProfileType` - `const ProfileIntegrationProfileTypeIntegration ProfileIntegrationProfileType = "integration"` - `UpdatedAt Time` - `Description string` The description of the profile. ### Skip Configuration - `type SkipConfiguration struct{…}` Content types to exclude from context analysis and return all matches. - `Files bool` If the content type is a file, skip context analysis and return all matches. # Custom ## Get custom profile `client.ZeroTrust.DLP.Profiles.Custom.Get(ctx, profileID, query) (*Profile, error)` **get** `/accounts/{account_id}/dlp/profiles/custom/{profile_id}` Fetches a custom DLP profile by id. ### Parameters - `profileID string` - `query DLPProfileCustomGetParams` - `AccountID param.Field[string]` ### Returns - `type Profile interface{…}` - `type ProfileCustomProfile struct{…}` - `ID string` The id of the profile (uuid). - `AllowedMatchCount int64` Related DLP policies will trigger when the match count exceeds the number set. - `CreatedAt Time` When the profile was created. - `Name string` The name of the profile. - `OCREnabled bool` - `Type ProfileCustomProfileType` - `const ProfileCustomProfileTypeCustom ProfileCustomProfileType = "custom"` - `UpdatedAt Time` When the profile was lasted updated. - `AIContextEnabled bool` - `ConfidenceThreshold ProfileCustomProfileConfidenceThreshold` - `const ProfileCustomProfileConfidenceThresholdLow ProfileCustomProfileConfidenceThreshold = "low"` - `const ProfileCustomProfileConfidenceThresholdMedium ProfileCustomProfileConfidenceThreshold = "medium"` - `const ProfileCustomProfileConfidenceThresholdHigh ProfileCustomProfileConfidenceThreshold = "high"` - `const ProfileCustomProfileConfidenceThresholdVeryHigh ProfileCustomProfileConfidenceThreshold = "very_high"` - `ContextAwareness ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `Enabled bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `Skip SkipConfiguration` Content types to exclude from context analysis and return all matches. - `Files bool` If the content type is a file, skip context analysis and return all matches. - `DataClasses []string` Data classes associated with this profile. - `DataTags []string` Data tags associated with this profile. - `Description string` The description of the profile. - `Entries []ProfileCustomProfileEntry` - `type ProfileCustomProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type ProfileCustomProfileEntriesCustomEntryType` - `const ProfileCustomProfileEntriesCustomEntryTypeCustom ProfileCustomProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileCustomProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileCustomProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesPredefinedEntryType` - `const ProfileCustomProfileEntriesPredefinedEntryTypePredefined ProfileCustomProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileCustomProfileEntriesPredefinedEntryVariant` - `TopicType ProfileCustomProfileEntriesPredefinedEntryVariantTopicType` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileCustomProfileEntriesPredefinedEntryVariantType` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTypePromptTopic ProfileCustomProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileCustomProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesIntegrationEntryType` - `const ProfileCustomProfileEntriesIntegrationEntryTypeIntegration ProfileCustomProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileCustomProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileCustomProfileEntriesExactDataEntryType` - `const ProfileCustomProfileEntriesExactDataEntryTypeExactData ProfileCustomProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileCustomProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesDocumentFingerprintEntryType` - `const ProfileCustomProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileCustomProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileCustomProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesWordListEntryType` - `const ProfileCustomProfileEntriesWordListEntryTypeWordList ProfileCustomProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `SensitivityLevels [][]string` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `SharedEntries []ProfileCustomProfileSharedEntry` - `type ProfileCustomProfileSharedEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileCustomProfileSharedEntriesCustomEntryType` - `const ProfileCustomProfileSharedEntriesCustomEntryTypeCustom ProfileCustomProfileSharedEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileCustomProfileSharedEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileCustomProfileSharedEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesPredefinedEntryType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryTypePredefined ProfileCustomProfileSharedEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileCustomProfileSharedEntriesPredefinedEntryVariant` - `TopicType ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileCustomProfileSharedEntriesPredefinedEntryVariantType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTypePromptTopic ProfileCustomProfileSharedEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileCustomProfileSharedEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesIntegrationEntryType` - `const ProfileCustomProfileSharedEntriesIntegrationEntryTypeIntegration ProfileCustomProfileSharedEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileCustomProfileSharedEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileCustomProfileSharedEntriesExactDataEntryType` - `const ProfileCustomProfileSharedEntriesExactDataEntryTypeExactData ProfileCustomProfileSharedEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileCustomProfileSharedEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesDocumentFingerprintEntryType` - `const ProfileCustomProfileSharedEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileCustomProfileSharedEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileCustomProfileSharedEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesWordListEntryType` - `const ProfileCustomProfileSharedEntriesWordListEntryTypeWordList ProfileCustomProfileSharedEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `type ProfilePredefinedProfile struct{…}` - `ID string` The id of the predefined profile (uuid). - `AllowedMatchCount int64` - `Entries []ProfilePredefinedProfileEntry` - `type ProfilePredefinedProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfilePredefinedProfileEntriesCustomEntryType` - `const ProfilePredefinedProfileEntriesCustomEntryTypeCustom ProfilePredefinedProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfilePredefinedProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfilePredefinedProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesPredefinedEntryType` - `const ProfilePredefinedProfileEntriesPredefinedEntryTypePredefined ProfilePredefinedProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfilePredefinedProfileEntriesPredefinedEntryVariant` - `TopicType ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeContent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfilePredefinedProfileEntriesPredefinedEntryVariantType` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTypePromptTopic ProfilePredefinedProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfilePredefinedProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesIntegrationEntryType` - `const ProfilePredefinedProfileEntriesIntegrationEntryTypeIntegration ProfilePredefinedProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfilePredefinedProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfilePredefinedProfileEntriesExactDataEntryType` - `const ProfilePredefinedProfileEntriesExactDataEntryTypeExactData ProfilePredefinedProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfilePredefinedProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesDocumentFingerprintEntryType` - `const ProfilePredefinedProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfilePredefinedProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfilePredefinedProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesWordListEntryType` - `const ProfilePredefinedProfileEntriesWordListEntryTypeWordList ProfilePredefinedProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` The name of the predefined profile. - `Type ProfilePredefinedProfileType` - `const ProfilePredefinedProfileTypePredefined ProfilePredefinedProfileType = "predefined"` - `AIContextEnabled bool` - `ConfidenceThreshold ProfilePredefinedProfileConfidenceThreshold` - `const ProfilePredefinedProfileConfidenceThresholdLow ProfilePredefinedProfileConfidenceThreshold = "low"` - `const ProfilePredefinedProfileConfidenceThresholdMedium ProfilePredefinedProfileConfidenceThreshold = "medium"` - `const ProfilePredefinedProfileConfidenceThresholdHigh ProfilePredefinedProfileConfidenceThreshold = "high"` - `const ProfilePredefinedProfileConfidenceThresholdVeryHigh ProfilePredefinedProfileConfidenceThreshold = "very_high"` - `ContextAwareness ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `OCREnabled bool` - `OpenAccess bool` Whether this profile can be accessed by anyone. - `type ProfileIntegrationProfile struct{…}` - `ID string` - `CreatedAt Time` - `Entries []ProfileIntegrationProfileEntry` - `type ProfileIntegrationProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileIntegrationProfileEntriesCustomEntryType` - `const ProfileIntegrationProfileEntriesCustomEntryTypeCustom ProfileIntegrationProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileIntegrationProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileIntegrationProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesPredefinedEntryType` - `const ProfileIntegrationProfileEntriesPredefinedEntryTypePredefined ProfileIntegrationProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileIntegrationProfileEntriesPredefinedEntryVariant` - `TopicType ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileIntegrationProfileEntriesPredefinedEntryVariantType` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTypePromptTopic ProfileIntegrationProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileIntegrationProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesIntegrationEntryType` - `const ProfileIntegrationProfileEntriesIntegrationEntryTypeIntegration ProfileIntegrationProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileIntegrationProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileIntegrationProfileEntriesExactDataEntryType` - `const ProfileIntegrationProfileEntriesExactDataEntryTypeExactData ProfileIntegrationProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileIntegrationProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesDocumentFingerprintEntryType` - `const ProfileIntegrationProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileIntegrationProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileIntegrationProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesWordListEntryType` - `const ProfileIntegrationProfileEntriesWordListEntryTypeWordList ProfileIntegrationProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` - `SharedEntries []ProfileIntegrationProfileSharedEntry` - `type ProfileIntegrationProfileSharedEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileIntegrationProfileSharedEntriesCustomEntryType` - `const ProfileIntegrationProfileSharedEntriesCustomEntryTypeCustom ProfileIntegrationProfileSharedEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileIntegrationProfileSharedEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileIntegrationProfileSharedEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesPredefinedEntryType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryTypePredefined ProfileIntegrationProfileSharedEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileIntegrationProfileSharedEntriesPredefinedEntryVariant` - `TopicType ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTypePromptTopic ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileIntegrationProfileSharedEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesIntegrationEntryType` - `const ProfileIntegrationProfileSharedEntriesIntegrationEntryTypeIntegration ProfileIntegrationProfileSharedEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileIntegrationProfileSharedEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileIntegrationProfileSharedEntriesExactDataEntryType` - `const ProfileIntegrationProfileSharedEntriesExactDataEntryTypeExactData ProfileIntegrationProfileSharedEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryType` - `const ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileIntegrationProfileSharedEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesWordListEntryType` - `const ProfileIntegrationProfileSharedEntriesWordListEntryTypeWordList ProfileIntegrationProfileSharedEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Type ProfileIntegrationProfileType` - `const ProfileIntegrationProfileTypeIntegration ProfileIntegrationProfileType = "integration"` - `UpdatedAt Time` - `Description string` The description of the profile. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) profile, err := client.ZeroTrust.DLP.Profiles.Custom.Get( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPProfileCustomGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", profile) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Create custom profile `client.ZeroTrust.DLP.Profiles.Custom.New(ctx, params) (*Profile, error)` **post** `/accounts/{account_id}/dlp/profiles/custom` Creates a DLP custom profile. ### Parameters - `params DLPProfileCustomNewParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param - `AIContextEnabled param.Field[bool]` Body param - `AllowedMatchCount param.Field[int64]` Body param: Related DLP policies will trigger when the match count exceeds the number set. - `ConfidenceThreshold param.Field[string]` Body param - `ContextAwareness param.Field[ContextAwareness]` Body param: Scan the context of predefined entries to only return matches surrounded by keywords. - `DataClasses param.Field[[]string]` Body param: Data class IDs to associate with the profile. - `DataTags param.Field[[]string]` Body param: Data tag IDs to associate with the profile. - `Description param.Field[string]` Body param: The description of the profile. - `Entries param.Field[[]DLPProfileCustomNewParamsEntry]` Body param - `type DLPProfileCustomNewParamsEntriesDLPNewCustomEntry struct{…}` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Description string` - `type DLPProfileCustomNewParamsEntriesDLPNewWordListEntry struct{…}` - `Enabled bool` - `Name string` - `Words []string` - `OCREnabled param.Field[bool]` Body param - `SensitivityLevels param.Field[[][]string]` Body param: Sensitivity levels to associate with the profile as (group_id, level_id) tuples. - `SharedEntries param.Field[[]DLPProfileCustomNewParamsSharedEntry]` Body param: Entries from other profiles (e.g. pre-defined Cloudflare profiles, or your Microsoft Information Protection profiles). - `Enabled bool` - `EntryID string` ### Returns - `type Profile interface{…}` - `type ProfileCustomProfile struct{…}` - `ID string` The id of the profile (uuid). - `AllowedMatchCount int64` Related DLP policies will trigger when the match count exceeds the number set. - `CreatedAt Time` When the profile was created. - `Name string` The name of the profile. - `OCREnabled bool` - `Type ProfileCustomProfileType` - `const ProfileCustomProfileTypeCustom ProfileCustomProfileType = "custom"` - `UpdatedAt Time` When the profile was lasted updated. - `AIContextEnabled bool` - `ConfidenceThreshold ProfileCustomProfileConfidenceThreshold` - `const ProfileCustomProfileConfidenceThresholdLow ProfileCustomProfileConfidenceThreshold = "low"` - `const ProfileCustomProfileConfidenceThresholdMedium ProfileCustomProfileConfidenceThreshold = "medium"` - `const ProfileCustomProfileConfidenceThresholdHigh ProfileCustomProfileConfidenceThreshold = "high"` - `const ProfileCustomProfileConfidenceThresholdVeryHigh ProfileCustomProfileConfidenceThreshold = "very_high"` - `ContextAwareness ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `Enabled bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `Skip SkipConfiguration` Content types to exclude from context analysis and return all matches. - `Files bool` If the content type is a file, skip context analysis and return all matches. - `DataClasses []string` Data classes associated with this profile. - `DataTags []string` Data tags associated with this profile. - `Description string` The description of the profile. - `Entries []ProfileCustomProfileEntry` - `type ProfileCustomProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type ProfileCustomProfileEntriesCustomEntryType` - `const ProfileCustomProfileEntriesCustomEntryTypeCustom ProfileCustomProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileCustomProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileCustomProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesPredefinedEntryType` - `const ProfileCustomProfileEntriesPredefinedEntryTypePredefined ProfileCustomProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileCustomProfileEntriesPredefinedEntryVariant` - `TopicType ProfileCustomProfileEntriesPredefinedEntryVariantTopicType` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileCustomProfileEntriesPredefinedEntryVariantType` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTypePromptTopic ProfileCustomProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileCustomProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesIntegrationEntryType` - `const ProfileCustomProfileEntriesIntegrationEntryTypeIntegration ProfileCustomProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileCustomProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileCustomProfileEntriesExactDataEntryType` - `const ProfileCustomProfileEntriesExactDataEntryTypeExactData ProfileCustomProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileCustomProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesDocumentFingerprintEntryType` - `const ProfileCustomProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileCustomProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileCustomProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesWordListEntryType` - `const ProfileCustomProfileEntriesWordListEntryTypeWordList ProfileCustomProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `SensitivityLevels [][]string` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `SharedEntries []ProfileCustomProfileSharedEntry` - `type ProfileCustomProfileSharedEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileCustomProfileSharedEntriesCustomEntryType` - `const ProfileCustomProfileSharedEntriesCustomEntryTypeCustom ProfileCustomProfileSharedEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileCustomProfileSharedEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileCustomProfileSharedEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesPredefinedEntryType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryTypePredefined ProfileCustomProfileSharedEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileCustomProfileSharedEntriesPredefinedEntryVariant` - `TopicType ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileCustomProfileSharedEntriesPredefinedEntryVariantType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTypePromptTopic ProfileCustomProfileSharedEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileCustomProfileSharedEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesIntegrationEntryType` - `const ProfileCustomProfileSharedEntriesIntegrationEntryTypeIntegration ProfileCustomProfileSharedEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileCustomProfileSharedEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileCustomProfileSharedEntriesExactDataEntryType` - `const ProfileCustomProfileSharedEntriesExactDataEntryTypeExactData ProfileCustomProfileSharedEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileCustomProfileSharedEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesDocumentFingerprintEntryType` - `const ProfileCustomProfileSharedEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileCustomProfileSharedEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileCustomProfileSharedEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesWordListEntryType` - `const ProfileCustomProfileSharedEntriesWordListEntryTypeWordList ProfileCustomProfileSharedEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `type ProfilePredefinedProfile struct{…}` - `ID string` The id of the predefined profile (uuid). - `AllowedMatchCount int64` - `Entries []ProfilePredefinedProfileEntry` - `type ProfilePredefinedProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfilePredefinedProfileEntriesCustomEntryType` - `const ProfilePredefinedProfileEntriesCustomEntryTypeCustom ProfilePredefinedProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfilePredefinedProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfilePredefinedProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesPredefinedEntryType` - `const ProfilePredefinedProfileEntriesPredefinedEntryTypePredefined ProfilePredefinedProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfilePredefinedProfileEntriesPredefinedEntryVariant` - `TopicType ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeContent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfilePredefinedProfileEntriesPredefinedEntryVariantType` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTypePromptTopic ProfilePredefinedProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfilePredefinedProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesIntegrationEntryType` - `const ProfilePredefinedProfileEntriesIntegrationEntryTypeIntegration ProfilePredefinedProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfilePredefinedProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfilePredefinedProfileEntriesExactDataEntryType` - `const ProfilePredefinedProfileEntriesExactDataEntryTypeExactData ProfilePredefinedProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfilePredefinedProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesDocumentFingerprintEntryType` - `const ProfilePredefinedProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfilePredefinedProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfilePredefinedProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesWordListEntryType` - `const ProfilePredefinedProfileEntriesWordListEntryTypeWordList ProfilePredefinedProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` The name of the predefined profile. - `Type ProfilePredefinedProfileType` - `const ProfilePredefinedProfileTypePredefined ProfilePredefinedProfileType = "predefined"` - `AIContextEnabled bool` - `ConfidenceThreshold ProfilePredefinedProfileConfidenceThreshold` - `const ProfilePredefinedProfileConfidenceThresholdLow ProfilePredefinedProfileConfidenceThreshold = "low"` - `const ProfilePredefinedProfileConfidenceThresholdMedium ProfilePredefinedProfileConfidenceThreshold = "medium"` - `const ProfilePredefinedProfileConfidenceThresholdHigh ProfilePredefinedProfileConfidenceThreshold = "high"` - `const ProfilePredefinedProfileConfidenceThresholdVeryHigh ProfilePredefinedProfileConfidenceThreshold = "very_high"` - `ContextAwareness ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `OCREnabled bool` - `OpenAccess bool` Whether this profile can be accessed by anyone. - `type ProfileIntegrationProfile struct{…}` - `ID string` - `CreatedAt Time` - `Entries []ProfileIntegrationProfileEntry` - `type ProfileIntegrationProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileIntegrationProfileEntriesCustomEntryType` - `const ProfileIntegrationProfileEntriesCustomEntryTypeCustom ProfileIntegrationProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileIntegrationProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileIntegrationProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesPredefinedEntryType` - `const ProfileIntegrationProfileEntriesPredefinedEntryTypePredefined ProfileIntegrationProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileIntegrationProfileEntriesPredefinedEntryVariant` - `TopicType ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileIntegrationProfileEntriesPredefinedEntryVariantType` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTypePromptTopic ProfileIntegrationProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileIntegrationProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesIntegrationEntryType` - `const ProfileIntegrationProfileEntriesIntegrationEntryTypeIntegration ProfileIntegrationProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileIntegrationProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileIntegrationProfileEntriesExactDataEntryType` - `const ProfileIntegrationProfileEntriesExactDataEntryTypeExactData ProfileIntegrationProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileIntegrationProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesDocumentFingerprintEntryType` - `const ProfileIntegrationProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileIntegrationProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileIntegrationProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesWordListEntryType` - `const ProfileIntegrationProfileEntriesWordListEntryTypeWordList ProfileIntegrationProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` - `SharedEntries []ProfileIntegrationProfileSharedEntry` - `type ProfileIntegrationProfileSharedEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileIntegrationProfileSharedEntriesCustomEntryType` - `const ProfileIntegrationProfileSharedEntriesCustomEntryTypeCustom ProfileIntegrationProfileSharedEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileIntegrationProfileSharedEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileIntegrationProfileSharedEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesPredefinedEntryType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryTypePredefined ProfileIntegrationProfileSharedEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileIntegrationProfileSharedEntriesPredefinedEntryVariant` - `TopicType ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTypePromptTopic ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileIntegrationProfileSharedEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesIntegrationEntryType` - `const ProfileIntegrationProfileSharedEntriesIntegrationEntryTypeIntegration ProfileIntegrationProfileSharedEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileIntegrationProfileSharedEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileIntegrationProfileSharedEntriesExactDataEntryType` - `const ProfileIntegrationProfileSharedEntriesExactDataEntryTypeExactData ProfileIntegrationProfileSharedEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryType` - `const ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileIntegrationProfileSharedEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesWordListEntryType` - `const ProfileIntegrationProfileSharedEntriesWordListEntryTypeWordList ProfileIntegrationProfileSharedEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Type ProfileIntegrationProfileType` - `const ProfileIntegrationProfileTypeIntegration ProfileIntegrationProfileType = "integration"` - `UpdatedAt Time` - `Description string` The description of the profile. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) profile, err := client.ZeroTrust.DLP.Profiles.Custom.New(context.TODO(), zero_trust.DLPProfileCustomNewParams{ AccountID: cloudflare.F("account_id"), Name: cloudflare.F("name"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", profile) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Update custom profile `client.ZeroTrust.DLP.Profiles.Custom.Update(ctx, profileID, params) (*Profile, error)` **put** `/accounts/{account_id}/dlp/profiles/custom/{profile_id}` Updates a DLP custom profile. ### Parameters - `profileID string` - `params DLPProfileCustomUpdateParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param - `AIContextEnabled param.Field[bool]` Body param - `AllowedMatchCount param.Field[int64]` Body param - `ConfidenceThreshold param.Field[string]` Body param - `ContextAwareness param.Field[ContextAwareness]` Body param: Scan the context of predefined entries to only return matches surrounded by keywords. - `DataClasses param.Field[[]string]` Body param: Data class IDs to associate with the profile. If omitted, existing associations are unchanged. - `DataTags param.Field[[]string]` Body param: Data tag IDs to associate with the profile. If omitted, existing associations are unchanged. - `Description param.Field[string]` Body param: The description of the profile. - `Entries param.Field[[]DLPProfileCustomUpdateParamsEntry]` Body param: Custom entries from this profile. If this field is omitted, entries owned by this profile will not be changed. - `type DLPProfileCustomUpdateParamsEntriesDLPNewCustomEntryWithID struct{…}` - `Enabled bool` - `EntryID string` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Description string` - `type DLPProfileCustomUpdateParamsEntriesDLPNewCustomEntry struct{…}` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Description string` - `OCREnabled param.Field[bool]` Body param - `SensitivityLevels param.Field[[][]string]` Body param: Sensitivity levels to associate with the profile. If omitted, existing associations are unchanged. - `SharedEntries param.Field[[]DLPProfileCustomUpdateParamsSharedEntry]` Body param: Other entries, e.g. predefined or integration. - `Enabled bool` - `EntryID string` ### Returns - `type Profile interface{…}` - `type ProfileCustomProfile struct{…}` - `ID string` The id of the profile (uuid). - `AllowedMatchCount int64` Related DLP policies will trigger when the match count exceeds the number set. - `CreatedAt Time` When the profile was created. - `Name string` The name of the profile. - `OCREnabled bool` - `Type ProfileCustomProfileType` - `const ProfileCustomProfileTypeCustom ProfileCustomProfileType = "custom"` - `UpdatedAt Time` When the profile was lasted updated. - `AIContextEnabled bool` - `ConfidenceThreshold ProfileCustomProfileConfidenceThreshold` - `const ProfileCustomProfileConfidenceThresholdLow ProfileCustomProfileConfidenceThreshold = "low"` - `const ProfileCustomProfileConfidenceThresholdMedium ProfileCustomProfileConfidenceThreshold = "medium"` - `const ProfileCustomProfileConfidenceThresholdHigh ProfileCustomProfileConfidenceThreshold = "high"` - `const ProfileCustomProfileConfidenceThresholdVeryHigh ProfileCustomProfileConfidenceThreshold = "very_high"` - `ContextAwareness ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `Enabled bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `Skip SkipConfiguration` Content types to exclude from context analysis and return all matches. - `Files bool` If the content type is a file, skip context analysis and return all matches. - `DataClasses []string` Data classes associated with this profile. - `DataTags []string` Data tags associated with this profile. - `Description string` The description of the profile. - `Entries []ProfileCustomProfileEntry` - `type ProfileCustomProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type ProfileCustomProfileEntriesCustomEntryType` - `const ProfileCustomProfileEntriesCustomEntryTypeCustom ProfileCustomProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileCustomProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileCustomProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesPredefinedEntryType` - `const ProfileCustomProfileEntriesPredefinedEntryTypePredefined ProfileCustomProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileCustomProfileEntriesPredefinedEntryVariant` - `TopicType ProfileCustomProfileEntriesPredefinedEntryVariantTopicType` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileCustomProfileEntriesPredefinedEntryVariantType` - `const ProfileCustomProfileEntriesPredefinedEntryVariantTypePromptTopic ProfileCustomProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileCustomProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesIntegrationEntryType` - `const ProfileCustomProfileEntriesIntegrationEntryTypeIntegration ProfileCustomProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileCustomProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileCustomProfileEntriesExactDataEntryType` - `const ProfileCustomProfileEntriesExactDataEntryTypeExactData ProfileCustomProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileCustomProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesDocumentFingerprintEntryType` - `const ProfileCustomProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileCustomProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileCustomProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileEntriesWordListEntryType` - `const ProfileCustomProfileEntriesWordListEntryTypeWordList ProfileCustomProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `SensitivityLevels [][]string` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `SharedEntries []ProfileCustomProfileSharedEntry` - `type ProfileCustomProfileSharedEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileCustomProfileSharedEntriesCustomEntryType` - `const ProfileCustomProfileSharedEntriesCustomEntryTypeCustom ProfileCustomProfileSharedEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileCustomProfileSharedEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileCustomProfileSharedEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesPredefinedEntryType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryTypePredefined ProfileCustomProfileSharedEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileCustomProfileSharedEntriesPredefinedEntryVariant` - `TopicType ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileCustomProfileSharedEntriesPredefinedEntryVariantType` - `const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTypePromptTopic ProfileCustomProfileSharedEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileCustomProfileSharedEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesIntegrationEntryType` - `const ProfileCustomProfileSharedEntriesIntegrationEntryTypeIntegration ProfileCustomProfileSharedEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileCustomProfileSharedEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileCustomProfileSharedEntriesExactDataEntryType` - `const ProfileCustomProfileSharedEntriesExactDataEntryTypeExactData ProfileCustomProfileSharedEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileCustomProfileSharedEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesDocumentFingerprintEntryType` - `const ProfileCustomProfileSharedEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileCustomProfileSharedEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileCustomProfileSharedEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileCustomProfileSharedEntriesWordListEntryType` - `const ProfileCustomProfileSharedEntriesWordListEntryTypeWordList ProfileCustomProfileSharedEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `type ProfilePredefinedProfile struct{…}` - `ID string` The id of the predefined profile (uuid). - `AllowedMatchCount int64` - `Entries []ProfilePredefinedProfileEntry` - `type ProfilePredefinedProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfilePredefinedProfileEntriesCustomEntryType` - `const ProfilePredefinedProfileEntriesCustomEntryTypeCustom ProfilePredefinedProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfilePredefinedProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfilePredefinedProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesPredefinedEntryType` - `const ProfilePredefinedProfileEntriesPredefinedEntryTypePredefined ProfilePredefinedProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfilePredefinedProfileEntriesPredefinedEntryVariant` - `TopicType ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeContent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfilePredefinedProfileEntriesPredefinedEntryVariantType` - `const ProfilePredefinedProfileEntriesPredefinedEntryVariantTypePromptTopic ProfilePredefinedProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfilePredefinedProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesIntegrationEntryType` - `const ProfilePredefinedProfileEntriesIntegrationEntryTypeIntegration ProfilePredefinedProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfilePredefinedProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfilePredefinedProfileEntriesExactDataEntryType` - `const ProfilePredefinedProfileEntriesExactDataEntryTypeExactData ProfilePredefinedProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfilePredefinedProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesDocumentFingerprintEntryType` - `const ProfilePredefinedProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfilePredefinedProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfilePredefinedProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfilePredefinedProfileEntriesWordListEntryType` - `const ProfilePredefinedProfileEntriesWordListEntryTypeWordList ProfilePredefinedProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` The name of the predefined profile. - `Type ProfilePredefinedProfileType` - `const ProfilePredefinedProfileTypePredefined ProfilePredefinedProfileType = "predefined"` - `AIContextEnabled bool` - `ConfidenceThreshold ProfilePredefinedProfileConfidenceThreshold` - `const ProfilePredefinedProfileConfidenceThresholdLow ProfilePredefinedProfileConfidenceThreshold = "low"` - `const ProfilePredefinedProfileConfidenceThresholdMedium ProfilePredefinedProfileConfidenceThreshold = "medium"` - `const ProfilePredefinedProfileConfidenceThresholdHigh ProfilePredefinedProfileConfidenceThreshold = "high"` - `const ProfilePredefinedProfileConfidenceThresholdVeryHigh ProfilePredefinedProfileConfidenceThreshold = "very_high"` - `ContextAwareness ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `OCREnabled bool` - `OpenAccess bool` Whether this profile can be accessed by anyone. - `type ProfileIntegrationProfile struct{…}` - `ID string` - `CreatedAt Time` - `Entries []ProfileIntegrationProfileEntry` - `type ProfileIntegrationProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileIntegrationProfileEntriesCustomEntryType` - `const ProfileIntegrationProfileEntriesCustomEntryTypeCustom ProfileIntegrationProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileIntegrationProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileIntegrationProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesPredefinedEntryType` - `const ProfileIntegrationProfileEntriesPredefinedEntryTypePredefined ProfileIntegrationProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileIntegrationProfileEntriesPredefinedEntryVariant` - `TopicType ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileIntegrationProfileEntriesPredefinedEntryVariantType` - `const ProfileIntegrationProfileEntriesPredefinedEntryVariantTypePromptTopic ProfileIntegrationProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileIntegrationProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesIntegrationEntryType` - `const ProfileIntegrationProfileEntriesIntegrationEntryTypeIntegration ProfileIntegrationProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileIntegrationProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileIntegrationProfileEntriesExactDataEntryType` - `const ProfileIntegrationProfileEntriesExactDataEntryTypeExactData ProfileIntegrationProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileIntegrationProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesDocumentFingerprintEntryType` - `const ProfileIntegrationProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileIntegrationProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileIntegrationProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileEntriesWordListEntryType` - `const ProfileIntegrationProfileEntriesWordListEntryTypeWordList ProfileIntegrationProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` - `SharedEntries []ProfileIntegrationProfileSharedEntry` - `type ProfileIntegrationProfileSharedEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type ProfileIntegrationProfileSharedEntriesCustomEntryType` - `const ProfileIntegrationProfileSharedEntriesCustomEntryTypeCustom ProfileIntegrationProfileSharedEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type ProfileIntegrationProfileSharedEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence ProfileIntegrationProfileSharedEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesPredefinedEntryType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryTypePredefined ProfileIntegrationProfileSharedEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant ProfileIntegrationProfileSharedEntriesPredefinedEntryVariant` - `TopicType ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"` - `Type ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantType` - `const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTypePromptTopic ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type ProfileIntegrationProfileSharedEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesIntegrationEntryType` - `const ProfileIntegrationProfileSharedEntriesIntegrationEntryTypeIntegration ProfileIntegrationProfileSharedEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type ProfileIntegrationProfileSharedEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type ProfileIntegrationProfileSharedEntriesExactDataEntryType` - `const ProfileIntegrationProfileSharedEntriesExactDataEntryTypeExactData ProfileIntegrationProfileSharedEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryType` - `const ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryTypeDocumentFingerprint ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type ProfileIntegrationProfileSharedEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type ProfileIntegrationProfileSharedEntriesWordListEntryType` - `const ProfileIntegrationProfileSharedEntriesWordListEntryTypeWordList ProfileIntegrationProfileSharedEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Type ProfileIntegrationProfileType` - `const ProfileIntegrationProfileTypeIntegration ProfileIntegrationProfileType = "integration"` - `UpdatedAt Time` - `Description string` The description of the profile. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) profile, err := client.ZeroTrust.DLP.Profiles.Custom.Update( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPProfileCustomUpdateParams{ AccountID: cloudflare.F("account_id"), Name: cloudflare.F("name"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", profile) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Delete custom profile `client.ZeroTrust.DLP.Profiles.Custom.Delete(ctx, profileID, body) (*DLPProfileCustomDeleteResponse, error)` **delete** `/accounts/{account_id}/dlp/profiles/custom/{profile_id}` Deletes a DLP custom profile. ### Parameters - `profileID string` - `body DLPProfileCustomDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DLPProfileCustomDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) custom, err := client.ZeroTrust.DLP.Profiles.Custom.Delete( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPProfileCustomDeleteParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", custom) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Custom Profile - `type CustomProfile struct{…}` - `ID string` The id of the profile (uuid). - `AllowedMatchCount int64` Related DLP policies will trigger when the match count exceeds the number set. - `CreatedAt Time` When the profile was created. - `Name string` The name of the profile. - `OCREnabled bool` - `UpdatedAt Time` When the profile was lasted updated. - `AIContextEnabled bool` - `ConfidenceThreshold CustomProfileConfidenceThreshold` - `const CustomProfileConfidenceThresholdLow CustomProfileConfidenceThreshold = "low"` - `const CustomProfileConfidenceThresholdMedium CustomProfileConfidenceThreshold = "medium"` - `const CustomProfileConfidenceThresholdHigh CustomProfileConfidenceThreshold = "high"` - `const CustomProfileConfidenceThresholdVeryHigh CustomProfileConfidenceThreshold = "very_high"` - `ContextAwareness ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `Enabled bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `Skip SkipConfiguration` Content types to exclude from context analysis and return all matches. - `Files bool` If the content type is a file, skip context analysis and return all matches. - `DataClasses []string` Data classes associated with this profile. - `DataTags []string` Data tags associated with this profile. - `Description string` The description of the profile. - `Entries []CustomProfileEntry` - `CustomProfileEntriesCustomEntry` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type CustomProfileEntriesCustomEntryType` - `const CustomProfileEntriesCustomEntryTypeCustom CustomProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `CustomProfileEntriesPredefinedEntry` - `ID string` - `Confidence CustomProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type CustomProfileEntriesPredefinedEntryType` - `const CustomProfileEntriesPredefinedEntryTypePredefined CustomProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant CustomProfileEntriesPredefinedEntryVariant` - `TopicType CustomProfileEntriesPredefinedEntryVariantTopicType` - `const CustomProfileEntriesPredefinedEntryVariantTopicTypeIntent CustomProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const CustomProfileEntriesPredefinedEntryVariantTopicTypeContent CustomProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type CustomProfileEntriesPredefinedEntryVariantType` - `const CustomProfileEntriesPredefinedEntryVariantTypePromptTopic CustomProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `CustomProfileEntriesIntegrationEntry` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type CustomProfileEntriesIntegrationEntryType` - `const CustomProfileEntriesIntegrationEntryTypeIntegration CustomProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `CustomProfileEntriesExactDataEntry` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type CustomProfileEntriesExactDataEntryType` - `const CustomProfileEntriesExactDataEntryTypeExactData CustomProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `CustomProfileEntriesDocumentFingerprintEntry` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type CustomProfileEntriesDocumentFingerprintEntryType` - `const CustomProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint CustomProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `CustomProfileEntriesWordListEntry` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type CustomProfileEntriesWordListEntryType` - `const CustomProfileEntriesWordListEntryTypeWordList CustomProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `SensitivityLevels [][]string` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `SharedEntries []CustomProfileSharedEntry` - `CustomProfileSharedEntriesCustomEntry` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Type CustomProfileSharedEntriesCustomEntryType` - `const CustomProfileSharedEntriesCustomEntryTypeCustom CustomProfileSharedEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `CustomProfileSharedEntriesPredefinedEntry` - `ID string` - `Confidence CustomProfileSharedEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type CustomProfileSharedEntriesPredefinedEntryType` - `const CustomProfileSharedEntriesPredefinedEntryTypePredefined CustomProfileSharedEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant CustomProfileSharedEntriesPredefinedEntryVariant` - `TopicType CustomProfileSharedEntriesPredefinedEntryVariantTopicType` - `const CustomProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent CustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"` - `const CustomProfileSharedEntriesPredefinedEntryVariantTopicTypeContent CustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"` - `Type CustomProfileSharedEntriesPredefinedEntryVariantType` - `const CustomProfileSharedEntriesPredefinedEntryVariantTypePromptTopic CustomProfileSharedEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `CustomProfileSharedEntriesIntegrationEntry` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type CustomProfileSharedEntriesIntegrationEntryType` - `const CustomProfileSharedEntriesIntegrationEntryTypeIntegration CustomProfileSharedEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `CustomProfileSharedEntriesExactDataEntry` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type CustomProfileSharedEntriesExactDataEntryType` - `const CustomProfileSharedEntriesExactDataEntryTypeExactData CustomProfileSharedEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `CustomProfileSharedEntriesDocumentFingerprintEntry` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type CustomProfileSharedEntriesDocumentFingerprintEntryType` - `const CustomProfileSharedEntriesDocumentFingerprintEntryTypeDocumentFingerprint CustomProfileSharedEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `CustomProfileSharedEntriesWordListEntry` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type CustomProfileSharedEntriesWordListEntryType` - `const CustomProfileSharedEntriesWordListEntryTypeWordList CustomProfileSharedEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` ### Pattern - `type Pattern struct{…}` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` # Predefined ## Get predefined profile config `client.ZeroTrust.DLP.Profiles.Predefined.Get(ctx, profileID, query) (*PredefinedProfile, error)` **get** `/accounts/{account_id}/dlp/profiles/predefined/{profile_id}/config` This is similar to `get_predefined` but only returns entries that are enabled. This is needed for our terraform API Fetches a predefined DLP profile by id. ### Parameters - `profileID string` - `query DLPProfilePredefinedGetParams` - `AccountID param.Field[string]` ### Returns - `type PredefinedProfile struct{…}` - `ID string` The id of the predefined profile (uuid). - `AllowedMatchCount int64` - `ConfidenceThreshold string` - `EnabledEntries []string` Entries to enable for this predefined profile. Any entries not provided will be disabled. - `Entries []PredefinedProfileEntry` This field has been deprecated for `enabled_entries`. - `type PredefinedProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type PredefinedProfileEntriesCustomEntryType` - `const PredefinedProfileEntriesCustomEntryTypeCustom PredefinedProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type PredefinedProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence PredefinedProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type PredefinedProfileEntriesPredefinedEntryType` - `const PredefinedProfileEntriesPredefinedEntryTypePredefined PredefinedProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant PredefinedProfileEntriesPredefinedEntryVariant` - `TopicType PredefinedProfileEntriesPredefinedEntryVariantTopicType` - `const PredefinedProfileEntriesPredefinedEntryVariantTopicTypeIntent PredefinedProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const PredefinedProfileEntriesPredefinedEntryVariantTopicTypeContent PredefinedProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type PredefinedProfileEntriesPredefinedEntryVariantType` - `const PredefinedProfileEntriesPredefinedEntryVariantTypePromptTopic PredefinedProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type PredefinedProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type PredefinedProfileEntriesIntegrationEntryType` - `const PredefinedProfileEntriesIntegrationEntryTypeIntegration PredefinedProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type PredefinedProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type PredefinedProfileEntriesExactDataEntryType` - `const PredefinedProfileEntriesExactDataEntryTypeExactData PredefinedProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type PredefinedProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type PredefinedProfileEntriesDocumentFingerprintEntryType` - `const PredefinedProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint PredefinedProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type PredefinedProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type PredefinedProfileEntriesWordListEntryType` - `const PredefinedProfileEntriesWordListEntryTypeWordList PredefinedProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` The name of the predefined profile. - `AIContextEnabled bool` - `OCREnabled bool` - `OpenAccess bool` Whether this profile can be accessed by anyone. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) predefinedProfile, err := client.ZeroTrust.DLP.Profiles.Predefined.Get( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPProfilePredefinedGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", predefinedProfile.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 0, "confidence_threshold": "confidence_threshold", "enabled_entries": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "name": "name", "ai_context_enabled": true, "ocr_enabled": true, "open_access": true } } ``` ## Update predefined profile config `client.ZeroTrust.DLP.Profiles.Predefined.Update(ctx, profileID, params) (*PredefinedProfile, error)` **put** `/accounts/{account_id}/dlp/profiles/predefined/{profile_id}/config` This is similar to `update_predefined` but only returns entries that are enabled. This is needed for our terraform API Updates a DLP predefined profile. Only supports enabling/disabling entries. ### Parameters - `profileID string` - `params DLPProfilePredefinedUpdateParams` - `AccountID param.Field[string]` Path param - `AIContextEnabled param.Field[bool]` Body param - `AllowedMatchCount param.Field[int64]` Body param - `ConfidenceThreshold param.Field[string]` Body param - `EnabledEntries param.Field[[]string]` Body param - `Entries param.Field[[]DLPProfilePredefinedUpdateParamsEntry]` Body param - `ID string` - `Enabled bool` - `OCREnabled param.Field[bool]` Body param ### Returns - `type PredefinedProfile struct{…}` - `ID string` The id of the predefined profile (uuid). - `AllowedMatchCount int64` - `ConfidenceThreshold string` - `EnabledEntries []string` Entries to enable for this predefined profile. Any entries not provided will be disabled. - `Entries []PredefinedProfileEntry` This field has been deprecated for `enabled_entries`. - `type PredefinedProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type PredefinedProfileEntriesCustomEntryType` - `const PredefinedProfileEntriesCustomEntryTypeCustom PredefinedProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type PredefinedProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence PredefinedProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type PredefinedProfileEntriesPredefinedEntryType` - `const PredefinedProfileEntriesPredefinedEntryTypePredefined PredefinedProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant PredefinedProfileEntriesPredefinedEntryVariant` - `TopicType PredefinedProfileEntriesPredefinedEntryVariantTopicType` - `const PredefinedProfileEntriesPredefinedEntryVariantTopicTypeIntent PredefinedProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const PredefinedProfileEntriesPredefinedEntryVariantTopicTypeContent PredefinedProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type PredefinedProfileEntriesPredefinedEntryVariantType` - `const PredefinedProfileEntriesPredefinedEntryVariantTypePromptTopic PredefinedProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type PredefinedProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type PredefinedProfileEntriesIntegrationEntryType` - `const PredefinedProfileEntriesIntegrationEntryTypeIntegration PredefinedProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type PredefinedProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type PredefinedProfileEntriesExactDataEntryType` - `const PredefinedProfileEntriesExactDataEntryTypeExactData PredefinedProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type PredefinedProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type PredefinedProfileEntriesDocumentFingerprintEntryType` - `const PredefinedProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint PredefinedProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type PredefinedProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type PredefinedProfileEntriesWordListEntryType` - `const PredefinedProfileEntriesWordListEntryTypeWordList PredefinedProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` The name of the predefined profile. - `AIContextEnabled bool` - `OCREnabled bool` - `OpenAccess bool` Whether this profile can be accessed by anyone. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) predefinedProfile, err := client.ZeroTrust.DLP.Profiles.Predefined.Update( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPProfilePredefinedUpdateParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", predefinedProfile.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 0, "confidence_threshold": "confidence_threshold", "enabled_entries": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "name": "name", "ai_context_enabled": true, "ocr_enabled": true, "open_access": true } } ``` ## Delete predefined profile `client.ZeroTrust.DLP.Profiles.Predefined.Delete(ctx, profileID, body) (*DLPProfilePredefinedDeleteResponse, error)` **delete** `/accounts/{account_id}/dlp/profiles/predefined/{profile_id}` This is a no-op as predefined profiles can't be deleted but is needed for our generated terraform API. ### Parameters - `profileID string` - `body DLPProfilePredefinedDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DLPProfilePredefinedDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) predefined, err := client.ZeroTrust.DLP.Profiles.Predefined.Delete( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPProfilePredefinedDeleteParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", predefined) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Predefined Profile - `type PredefinedProfile struct{…}` - `ID string` The id of the predefined profile (uuid). - `AllowedMatchCount int64` - `ConfidenceThreshold string` - `EnabledEntries []string` Entries to enable for this predefined profile. Any entries not provided will be disabled. - `Entries []PredefinedProfileEntry` This field has been deprecated for `enabled_entries`. - `type PredefinedProfileEntriesCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type PredefinedProfileEntriesCustomEntryType` - `const PredefinedProfileEntriesCustomEntryTypeCustom PredefinedProfileEntriesCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type PredefinedProfileEntriesPredefinedEntry struct{…}` - `ID string` - `Confidence PredefinedProfileEntriesPredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type PredefinedProfileEntriesPredefinedEntryType` - `const PredefinedProfileEntriesPredefinedEntryTypePredefined PredefinedProfileEntriesPredefinedEntryType = "predefined"` - `ProfileID string` - `Variant PredefinedProfileEntriesPredefinedEntryVariant` - `TopicType PredefinedProfileEntriesPredefinedEntryVariantTopicType` - `const PredefinedProfileEntriesPredefinedEntryVariantTopicTypeIntent PredefinedProfileEntriesPredefinedEntryVariantTopicType = "Intent"` - `const PredefinedProfileEntriesPredefinedEntryVariantTopicTypeContent PredefinedProfileEntriesPredefinedEntryVariantTopicType = "Content"` - `Type PredefinedProfileEntriesPredefinedEntryVariantType` - `const PredefinedProfileEntriesPredefinedEntryVariantTypePromptTopic PredefinedProfileEntriesPredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type PredefinedProfileEntriesIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type PredefinedProfileEntriesIntegrationEntryType` - `const PredefinedProfileEntriesIntegrationEntryTypeIntegration PredefinedProfileEntriesIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type PredefinedProfileEntriesExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type PredefinedProfileEntriesExactDataEntryType` - `const PredefinedProfileEntriesExactDataEntryTypeExactData PredefinedProfileEntriesExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type PredefinedProfileEntriesDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type PredefinedProfileEntriesDocumentFingerprintEntryType` - `const PredefinedProfileEntriesDocumentFingerprintEntryTypeDocumentFingerprint PredefinedProfileEntriesDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type PredefinedProfileEntriesWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type PredefinedProfileEntriesWordListEntryType` - `const PredefinedProfileEntriesWordListEntryTypeWordList PredefinedProfileEntriesWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Name string` The name of the predefined profile. - `AIContextEnabled bool` - `OCREnabled bool` - `OpenAccess bool` Whether this profile can be accessed by anyone. # Limits ## Fetch limits associated with DLP for account `client.ZeroTrust.DLP.Limits.List(ctx, query) (*DLPLimitListResponse, error)` **get** `/accounts/{account_id}/dlp/limits` Retrieves current DLP usage limits and quotas for the account, including dataset limits and scan quotas. ### Parameters - `query DLPLimitListParams` - `AccountID param.Field[string]` ### Returns - `type DLPLimitListResponse struct{…}` - `MaxDatasetCells int64` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) limits, err := client.ZeroTrust.DLP.Limits.List(context.TODO(), zero_trust.DLPLimitListParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", limits.MaxDatasetCells) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "max_dataset_cells": 0 } } ``` # Entries ## List all entries `client.ZeroTrust.DLP.Entries.List(ctx, query) (*SinglePage[DLPEntryListResponse], error)` **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Parameters - `query DLPEntryListParams` - `AccountID param.Field[string]` ### Returns - `type DLPEntryListResponse interface{…}` - `type DLPEntryListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type DLPEntryListResponseObjectType` - `const DLPEntryListResponseObjectTypeCustom DLPEntryListResponseObjectType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `UploadStatus DLPEntryListResponseObjectUploadStatus` - `const DLPEntryListResponseObjectUploadStatusEmpty DLPEntryListResponseObjectUploadStatus = "empty"` - `const DLPEntryListResponseObjectUploadStatusUploading DLPEntryListResponseObjectUploadStatus = "uploading"` - `const DLPEntryListResponseObjectUploadStatusPending DLPEntryListResponseObjectUploadStatus = "pending"` - `const DLPEntryListResponseObjectUploadStatusProcessing DLPEntryListResponseObjectUploadStatus = "processing"` - `const DLPEntryListResponseObjectUploadStatusFailed DLPEntryListResponseObjectUploadStatus = "failed"` - `const DLPEntryListResponseObjectUploadStatusComplete DLPEntryListResponseObjectUploadStatus = "complete"` - `type DLPEntryListResponseObject struct{…}` - `ID string` - `Confidence DLPEntryListResponseObjectConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type DLPEntryListResponseObjectType` - `const DLPEntryListResponseObjectTypePredefined DLPEntryListResponseObjectType = "predefined"` - `ProfileID string` - `UploadStatus DLPEntryListResponseObjectUploadStatus` - `const DLPEntryListResponseObjectUploadStatusEmpty DLPEntryListResponseObjectUploadStatus = "empty"` - `const DLPEntryListResponseObjectUploadStatusUploading DLPEntryListResponseObjectUploadStatus = "uploading"` - `const DLPEntryListResponseObjectUploadStatusPending DLPEntryListResponseObjectUploadStatus = "pending"` - `const DLPEntryListResponseObjectUploadStatusProcessing DLPEntryListResponseObjectUploadStatus = "processing"` - `const DLPEntryListResponseObjectUploadStatusFailed DLPEntryListResponseObjectUploadStatus = "failed"` - `const DLPEntryListResponseObjectUploadStatusComplete DLPEntryListResponseObjectUploadStatus = "complete"` - `Variant DLPEntryListResponseObjectVariant` - `TopicType DLPEntryListResponseObjectVariantTopicType` - `const DLPEntryListResponseObjectVariantTopicTypeIntent DLPEntryListResponseObjectVariantTopicType = "Intent"` - `const DLPEntryListResponseObjectVariantTopicTypeContent DLPEntryListResponseObjectVariantTopicType = "Content"` - `Type DLPEntryListResponseObjectVariantType` - `const DLPEntryListResponseObjectVariantTypePromptTopic DLPEntryListResponseObjectVariantType = "PromptTopic"` - `Description string` - `type DLPEntryListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryListResponseObjectType` - `const DLPEntryListResponseObjectTypeIntegration DLPEntryListResponseObjectType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `UploadStatus DLPEntryListResponseObjectUploadStatus` - `const DLPEntryListResponseObjectUploadStatusEmpty DLPEntryListResponseObjectUploadStatus = "empty"` - `const DLPEntryListResponseObjectUploadStatusUploading DLPEntryListResponseObjectUploadStatus = "uploading"` - `const DLPEntryListResponseObjectUploadStatusPending DLPEntryListResponseObjectUploadStatus = "pending"` - `const DLPEntryListResponseObjectUploadStatusProcessing DLPEntryListResponseObjectUploadStatus = "processing"` - `const DLPEntryListResponseObjectUploadStatusFailed DLPEntryListResponseObjectUploadStatus = "failed"` - `const DLPEntryListResponseObjectUploadStatusComplete DLPEntryListResponseObjectUploadStatus = "complete"` - `type DLPEntryListResponseObject struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type DLPEntryListResponseObjectType` - `const DLPEntryListResponseObjectTypeExactData DLPEntryListResponseObjectType = "exact_data"` - `UpdatedAt Time` - `UploadStatus DLPEntryListResponseObjectUploadStatus` - `const DLPEntryListResponseObjectUploadStatusEmpty DLPEntryListResponseObjectUploadStatus = "empty"` - `const DLPEntryListResponseObjectUploadStatusUploading DLPEntryListResponseObjectUploadStatus = "uploading"` - `const DLPEntryListResponseObjectUploadStatusPending DLPEntryListResponseObjectUploadStatus = "pending"` - `const DLPEntryListResponseObjectUploadStatusProcessing DLPEntryListResponseObjectUploadStatus = "processing"` - `const DLPEntryListResponseObjectUploadStatusFailed DLPEntryListResponseObjectUploadStatus = "failed"` - `const DLPEntryListResponseObjectUploadStatusComplete DLPEntryListResponseObjectUploadStatus = "complete"` - `type DLPEntryListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryListResponseObjectType` - `const DLPEntryListResponseObjectTypeDocumentFingerprint DLPEntryListResponseObjectType = "document_fingerprint"` - `UpdatedAt Time` - `UploadStatus DLPEntryListResponseObjectUploadStatus` - `const DLPEntryListResponseObjectUploadStatusEmpty DLPEntryListResponseObjectUploadStatus = "empty"` - `const DLPEntryListResponseObjectUploadStatusUploading DLPEntryListResponseObjectUploadStatus = "uploading"` - `const DLPEntryListResponseObjectUploadStatusPending DLPEntryListResponseObjectUploadStatus = "pending"` - `const DLPEntryListResponseObjectUploadStatusProcessing DLPEntryListResponseObjectUploadStatus = "processing"` - `const DLPEntryListResponseObjectUploadStatusFailed DLPEntryListResponseObjectUploadStatus = "failed"` - `const DLPEntryListResponseObjectUploadStatusComplete DLPEntryListResponseObjectUploadStatus = "complete"` - `type DLPEntryListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryListResponseObjectType` - `const DLPEntryListResponseObjectTypeWordList DLPEntryListResponseObjectType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `UploadStatus DLPEntryListResponseObjectUploadStatus` - `const DLPEntryListResponseObjectUploadStatusEmpty DLPEntryListResponseObjectUploadStatus = "empty"` - `const DLPEntryListResponseObjectUploadStatusUploading DLPEntryListResponseObjectUploadStatus = "uploading"` - `const DLPEntryListResponseObjectUploadStatusPending DLPEntryListResponseObjectUploadStatus = "pending"` - `const DLPEntryListResponseObjectUploadStatusProcessing DLPEntryListResponseObjectUploadStatus = "processing"` - `const DLPEntryListResponseObjectUploadStatusFailed DLPEntryListResponseObjectUploadStatus = "failed"` - `const DLPEntryListResponseObjectUploadStatusComplete DLPEntryListResponseObjectUploadStatus = "complete"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DLP.Entries.List(context.TODO(), zero_trust.DLPEntryListParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` ## Get DLP Entry `client.ZeroTrust.DLP.Entries.Get(ctx, entryID, query) (*DLPEntryGetResponse, error)` **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Parameters - `entryID string` - `query DLPEntryGetParams` - `AccountID param.Field[string]` ### Returns - `type DLPEntryGetResponse interface{…}` - `type DLPEntryGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type DLPEntryGetResponseObjectType` - `const DLPEntryGetResponseObjectTypeCustom DLPEntryGetResponseObjectType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `Profiles []DLPEntryGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryGetResponseObjectUploadStatus` - `const DLPEntryGetResponseObjectUploadStatusEmpty DLPEntryGetResponseObjectUploadStatus = "empty"` - `const DLPEntryGetResponseObjectUploadStatusUploading DLPEntryGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryGetResponseObjectUploadStatusPending DLPEntryGetResponseObjectUploadStatus = "pending"` - `const DLPEntryGetResponseObjectUploadStatusProcessing DLPEntryGetResponseObjectUploadStatus = "processing"` - `const DLPEntryGetResponseObjectUploadStatusFailed DLPEntryGetResponseObjectUploadStatus = "failed"` - `const DLPEntryGetResponseObjectUploadStatusComplete DLPEntryGetResponseObjectUploadStatus = "complete"` - `type DLPEntryGetResponseObject struct{…}` - `ID string` - `Confidence DLPEntryGetResponseObjectConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type DLPEntryGetResponseObjectType` - `const DLPEntryGetResponseObjectTypePredefined DLPEntryGetResponseObjectType = "predefined"` - `ProfileID string` - `Profiles []DLPEntryGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryGetResponseObjectUploadStatus` - `const DLPEntryGetResponseObjectUploadStatusEmpty DLPEntryGetResponseObjectUploadStatus = "empty"` - `const DLPEntryGetResponseObjectUploadStatusUploading DLPEntryGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryGetResponseObjectUploadStatusPending DLPEntryGetResponseObjectUploadStatus = "pending"` - `const DLPEntryGetResponseObjectUploadStatusProcessing DLPEntryGetResponseObjectUploadStatus = "processing"` - `const DLPEntryGetResponseObjectUploadStatusFailed DLPEntryGetResponseObjectUploadStatus = "failed"` - `const DLPEntryGetResponseObjectUploadStatusComplete DLPEntryGetResponseObjectUploadStatus = "complete"` - `Variant DLPEntryGetResponseObjectVariant` - `TopicType DLPEntryGetResponseObjectVariantTopicType` - `const DLPEntryGetResponseObjectVariantTopicTypeIntent DLPEntryGetResponseObjectVariantTopicType = "Intent"` - `const DLPEntryGetResponseObjectVariantTopicTypeContent DLPEntryGetResponseObjectVariantTopicType = "Content"` - `Type DLPEntryGetResponseObjectVariantType` - `const DLPEntryGetResponseObjectVariantTypePromptTopic DLPEntryGetResponseObjectVariantType = "PromptTopic"` - `Description string` - `type DLPEntryGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryGetResponseObjectType` - `const DLPEntryGetResponseObjectTypeIntegration DLPEntryGetResponseObjectType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `Profiles []DLPEntryGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryGetResponseObjectUploadStatus` - `const DLPEntryGetResponseObjectUploadStatusEmpty DLPEntryGetResponseObjectUploadStatus = "empty"` - `const DLPEntryGetResponseObjectUploadStatusUploading DLPEntryGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryGetResponseObjectUploadStatusPending DLPEntryGetResponseObjectUploadStatus = "pending"` - `const DLPEntryGetResponseObjectUploadStatusProcessing DLPEntryGetResponseObjectUploadStatus = "processing"` - `const DLPEntryGetResponseObjectUploadStatusFailed DLPEntryGetResponseObjectUploadStatus = "failed"` - `const DLPEntryGetResponseObjectUploadStatusComplete DLPEntryGetResponseObjectUploadStatus = "complete"` - `type DLPEntryGetResponseObject struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type DLPEntryGetResponseObjectType` - `const DLPEntryGetResponseObjectTypeExactData DLPEntryGetResponseObjectType = "exact_data"` - `UpdatedAt Time` - `Profiles []DLPEntryGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryGetResponseObjectUploadStatus` - `const DLPEntryGetResponseObjectUploadStatusEmpty DLPEntryGetResponseObjectUploadStatus = "empty"` - `const DLPEntryGetResponseObjectUploadStatusUploading DLPEntryGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryGetResponseObjectUploadStatusPending DLPEntryGetResponseObjectUploadStatus = "pending"` - `const DLPEntryGetResponseObjectUploadStatusProcessing DLPEntryGetResponseObjectUploadStatus = "processing"` - `const DLPEntryGetResponseObjectUploadStatusFailed DLPEntryGetResponseObjectUploadStatus = "failed"` - `const DLPEntryGetResponseObjectUploadStatusComplete DLPEntryGetResponseObjectUploadStatus = "complete"` - `type DLPEntryGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryGetResponseObjectType` - `const DLPEntryGetResponseObjectTypeDocumentFingerprint DLPEntryGetResponseObjectType = "document_fingerprint"` - `UpdatedAt Time` - `Profiles []DLPEntryGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryGetResponseObjectUploadStatus` - `const DLPEntryGetResponseObjectUploadStatusEmpty DLPEntryGetResponseObjectUploadStatus = "empty"` - `const DLPEntryGetResponseObjectUploadStatusUploading DLPEntryGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryGetResponseObjectUploadStatusPending DLPEntryGetResponseObjectUploadStatus = "pending"` - `const DLPEntryGetResponseObjectUploadStatusProcessing DLPEntryGetResponseObjectUploadStatus = "processing"` - `const DLPEntryGetResponseObjectUploadStatusFailed DLPEntryGetResponseObjectUploadStatus = "failed"` - `const DLPEntryGetResponseObjectUploadStatusComplete DLPEntryGetResponseObjectUploadStatus = "complete"` - `type DLPEntryGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryGetResponseObjectType` - `const DLPEntryGetResponseObjectTypeWordList DLPEntryGetResponseObjectType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Profiles []DLPEntryGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryGetResponseObjectUploadStatus` - `const DLPEntryGetResponseObjectUploadStatusEmpty DLPEntryGetResponseObjectUploadStatus = "empty"` - `const DLPEntryGetResponseObjectUploadStatusUploading DLPEntryGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryGetResponseObjectUploadStatusPending DLPEntryGetResponseObjectUploadStatus = "pending"` - `const DLPEntryGetResponseObjectUploadStatusProcessing DLPEntryGetResponseObjectUploadStatus = "processing"` - `const DLPEntryGetResponseObjectUploadStatusFailed DLPEntryGetResponseObjectUploadStatus = "failed"` - `const DLPEntryGetResponseObjectUploadStatusComplete DLPEntryGetResponseObjectUploadStatus = "complete"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) entry, err := client.ZeroTrust.DLP.Entries.Get( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEntryGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", entry) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## Create custom entry `client.ZeroTrust.DLP.Entries.New(ctx, params) (*DLPEntryNewResponse, error)` **post** `/accounts/{account_id}/dlp/entries` Creates a DLP custom entry. ### Parameters - `params DLPEntryNewParams` - `AccountID param.Field[string]` Path param - `Enabled param.Field[bool]` Body param - `Name param.Field[string]` Body param - `Pattern param.Field[Pattern]` Body param - `Description param.Field[string]` Body param - `ProfileID param.Field[string]` Body param ### Returns - `type DLPEntryNewResponse struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `UpdatedAt Time` - `Description string` - `ProfileID string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) entry, err := client.ZeroTrust.DLP.Entries.New(context.TODO(), zero_trust.DLPEntryNewParams{ AccountID: cloudflare.F("account_id"), Enabled: cloudflare.F(true), Name: cloudflare.F("name"), Pattern: cloudflare.F(zero_trust.PatternParam{ Regex: cloudflare.F("regex"), }), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", entry.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Update entry `client.ZeroTrust.DLP.Entries.Update(ctx, entryID, params) (*DLPEntryUpdateResponse, error)` **put** `/accounts/{account_id}/dlp/entries/{entry_id}` Updates a DLP entry. ### Parameters - `entryID string` - `params DLPEntryUpdateParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param - `Pattern param.Field[Pattern]` Body param - `Type param.Field[DLPEntryUpdateParamsVariant0Type]` Body param - `const DLPEntryUpdateParamsVariant0TypeCustom DLPEntryUpdateParamsVariant0Type = "custom"` - `Description param.Field[string]` Body param - `Enabled param.Field[bool]` Body param ### Returns - `type DLPEntryUpdateResponse interface{…}` - `type DLPEntryUpdateResponseCustomEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type DLPEntryUpdateResponseCustomEntryType` - `const DLPEntryUpdateResponseCustomEntryTypeCustom DLPEntryUpdateResponseCustomEntryType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `type DLPEntryUpdateResponsePredefinedEntry struct{…}` - `ID string` - `Confidence DLPEntryUpdateResponsePredefinedEntryConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type DLPEntryUpdateResponsePredefinedEntryType` - `const DLPEntryUpdateResponsePredefinedEntryTypePredefined DLPEntryUpdateResponsePredefinedEntryType = "predefined"` - `ProfileID string` - `Variant DLPEntryUpdateResponsePredefinedEntryVariant` - `TopicType DLPEntryUpdateResponsePredefinedEntryVariantTopicType` - `const DLPEntryUpdateResponsePredefinedEntryVariantTopicTypeIntent DLPEntryUpdateResponsePredefinedEntryVariantTopicType = "Intent"` - `const DLPEntryUpdateResponsePredefinedEntryVariantTopicTypeContent DLPEntryUpdateResponsePredefinedEntryVariantTopicType = "Content"` - `Type DLPEntryUpdateResponsePredefinedEntryVariantType` - `const DLPEntryUpdateResponsePredefinedEntryVariantTypePromptTopic DLPEntryUpdateResponsePredefinedEntryVariantType = "PromptTopic"` - `Description string` - `type DLPEntryUpdateResponseIntegrationEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryUpdateResponseIntegrationEntryType` - `const DLPEntryUpdateResponseIntegrationEntryTypeIntegration DLPEntryUpdateResponseIntegrationEntryType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `type DLPEntryUpdateResponseExactDataEntry struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type DLPEntryUpdateResponseExactDataEntryType` - `const DLPEntryUpdateResponseExactDataEntryTypeExactData DLPEntryUpdateResponseExactDataEntryType = "exact_data"` - `UpdatedAt Time` - `type DLPEntryUpdateResponseDocumentFingerprintEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryUpdateResponseDocumentFingerprintEntryType` - `const DLPEntryUpdateResponseDocumentFingerprintEntryTypeDocumentFingerprint DLPEntryUpdateResponseDocumentFingerprintEntryType = "document_fingerprint"` - `UpdatedAt Time` - `type DLPEntryUpdateResponseWordListEntry struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryUpdateResponseWordListEntryType` - `const DLPEntryUpdateResponseWordListEntryTypeWordList DLPEntryUpdateResponseWordListEntryType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) entry, err := client.ZeroTrust.DLP.Entries.Update( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEntryUpdateParams{ AccountID: cloudflare.F("account_id"), Body: zero_trust.DLPEntryUpdateParamsBodyCustom{ Name: cloudflare.F("name"), Pattern: cloudflare.F(zero_trust.PatternParam{ Regex: cloudflare.F("regex"), }), Type: cloudflare.F(zero_trust.DLPEntryUpdateParamsBodyCustomTypeCustom), }, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", entry) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Delete custom entry `client.ZeroTrust.DLP.Entries.Delete(ctx, entryID, body) (*DLPEntryDeleteResponse, error)` **delete** `/accounts/{account_id}/dlp/entries/{entry_id}` Deletes a DLP custom entry. ### Parameters - `entryID string` - `body DLPEntryDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DLPEntryDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) entry, err := client.ZeroTrust.DLP.Entries.Delete( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEntryDeleteParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", entry) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` # Custom ## Create custom entry `client.ZeroTrust.DLP.Entries.Custom.New(ctx, params) (*DLPEntryCustomNewResponse, error)` **post** `/accounts/{account_id}/dlp/entries` Creates a DLP custom entry. ### Parameters - `params DLPEntryCustomNewParams` - `AccountID param.Field[string]` Path param - `Enabled param.Field[bool]` Body param - `Name param.Field[string]` Body param - `Pattern param.Field[Pattern]` Body param - `Description param.Field[string]` Body param - `ProfileID param.Field[string]` Body param ### Returns - `type DLPEntryCustomNewResponse struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `UpdatedAt Time` - `Description string` - `ProfileID string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) custom, err := client.ZeroTrust.DLP.Entries.Custom.New(context.TODO(), zero_trust.DLPEntryCustomNewParams{ AccountID: cloudflare.F("account_id"), Enabled: cloudflare.F(true), Name: cloudflare.F("name"), Pattern: cloudflare.F(zero_trust.PatternParam{ Regex: cloudflare.F("regex"), }), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", custom.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Update custom entry `client.ZeroTrust.DLP.Entries.Custom.Update(ctx, entryID, params) (*DLPEntryCustomUpdateResponse, error)` **put** `/accounts/{account_id}/dlp/entries/custom/{entry_id}` Updates a DLP custom entry. ### Parameters - `entryID string` - `params DLPEntryCustomUpdateParams` - `AccountID param.Field[string]` Path param - `Enabled param.Field[bool]` Body param - `Name param.Field[string]` Body param - `Pattern param.Field[Pattern]` Body param - `Description param.Field[string]` Body param ### Returns - `type DLPEntryCustomUpdateResponse struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `UpdatedAt Time` - `Description string` - `ProfileID string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) custom, err := client.ZeroTrust.DLP.Entries.Custom.Update( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEntryCustomUpdateParams{ AccountID: cloudflare.F("account_id"), Enabled: cloudflare.F(true), Name: cloudflare.F("name"), Pattern: cloudflare.F(zero_trust.PatternParam{ Regex: cloudflare.F("regex"), }), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", custom.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Delete custom entry `client.ZeroTrust.DLP.Entries.Custom.Delete(ctx, entryID, body) (*DLPEntryCustomDeleteResponse, error)` **delete** `/accounts/{account_id}/dlp/entries/{entry_id}` Deletes a DLP custom entry. ### Parameters - `entryID string` - `body DLPEntryCustomDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DLPEntryCustomDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) custom, err := client.ZeroTrust.DLP.Entries.Custom.Delete( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEntryCustomDeleteParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", custom) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Get DLP Entry `client.ZeroTrust.DLP.Entries.Custom.Get(ctx, entryID, query) (*DLPEntryCustomGetResponse, error)` **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Parameters - `entryID string` - `query DLPEntryCustomGetParams` - `AccountID param.Field[string]` ### Returns - `type DLPEntryCustomGetResponse interface{…}` - `type DLPEntryCustomGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type DLPEntryCustomGetResponseObjectType` - `const DLPEntryCustomGetResponseObjectTypeCustom DLPEntryCustomGetResponseObjectType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `Profiles []DLPEntryCustomGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryCustomGetResponseObjectUploadStatus` - `const DLPEntryCustomGetResponseObjectUploadStatusEmpty DLPEntryCustomGetResponseObjectUploadStatus = "empty"` - `const DLPEntryCustomGetResponseObjectUploadStatusUploading DLPEntryCustomGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryCustomGetResponseObjectUploadStatusPending DLPEntryCustomGetResponseObjectUploadStatus = "pending"` - `const DLPEntryCustomGetResponseObjectUploadStatusProcessing DLPEntryCustomGetResponseObjectUploadStatus = "processing"` - `const DLPEntryCustomGetResponseObjectUploadStatusFailed DLPEntryCustomGetResponseObjectUploadStatus = "failed"` - `const DLPEntryCustomGetResponseObjectUploadStatusComplete DLPEntryCustomGetResponseObjectUploadStatus = "complete"` - `type DLPEntryCustomGetResponseObject struct{…}` - `ID string` - `Confidence DLPEntryCustomGetResponseObjectConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type DLPEntryCustomGetResponseObjectType` - `const DLPEntryCustomGetResponseObjectTypePredefined DLPEntryCustomGetResponseObjectType = "predefined"` - `ProfileID string` - `Profiles []DLPEntryCustomGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryCustomGetResponseObjectUploadStatus` - `const DLPEntryCustomGetResponseObjectUploadStatusEmpty DLPEntryCustomGetResponseObjectUploadStatus = "empty"` - `const DLPEntryCustomGetResponseObjectUploadStatusUploading DLPEntryCustomGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryCustomGetResponseObjectUploadStatusPending DLPEntryCustomGetResponseObjectUploadStatus = "pending"` - `const DLPEntryCustomGetResponseObjectUploadStatusProcessing DLPEntryCustomGetResponseObjectUploadStatus = "processing"` - `const DLPEntryCustomGetResponseObjectUploadStatusFailed DLPEntryCustomGetResponseObjectUploadStatus = "failed"` - `const DLPEntryCustomGetResponseObjectUploadStatusComplete DLPEntryCustomGetResponseObjectUploadStatus = "complete"` - `Variant DLPEntryCustomGetResponseObjectVariant` - `TopicType DLPEntryCustomGetResponseObjectVariantTopicType` - `const DLPEntryCustomGetResponseObjectVariantTopicTypeIntent DLPEntryCustomGetResponseObjectVariantTopicType = "Intent"` - `const DLPEntryCustomGetResponseObjectVariantTopicTypeContent DLPEntryCustomGetResponseObjectVariantTopicType = "Content"` - `Type DLPEntryCustomGetResponseObjectVariantType` - `const DLPEntryCustomGetResponseObjectVariantTypePromptTopic DLPEntryCustomGetResponseObjectVariantType = "PromptTopic"` - `Description string` - `type DLPEntryCustomGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryCustomGetResponseObjectType` - `const DLPEntryCustomGetResponseObjectTypeIntegration DLPEntryCustomGetResponseObjectType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `Profiles []DLPEntryCustomGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryCustomGetResponseObjectUploadStatus` - `const DLPEntryCustomGetResponseObjectUploadStatusEmpty DLPEntryCustomGetResponseObjectUploadStatus = "empty"` - `const DLPEntryCustomGetResponseObjectUploadStatusUploading DLPEntryCustomGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryCustomGetResponseObjectUploadStatusPending DLPEntryCustomGetResponseObjectUploadStatus = "pending"` - `const DLPEntryCustomGetResponseObjectUploadStatusProcessing DLPEntryCustomGetResponseObjectUploadStatus = "processing"` - `const DLPEntryCustomGetResponseObjectUploadStatusFailed DLPEntryCustomGetResponseObjectUploadStatus = "failed"` - `const DLPEntryCustomGetResponseObjectUploadStatusComplete DLPEntryCustomGetResponseObjectUploadStatus = "complete"` - `type DLPEntryCustomGetResponseObject struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type DLPEntryCustomGetResponseObjectType` - `const DLPEntryCustomGetResponseObjectTypeExactData DLPEntryCustomGetResponseObjectType = "exact_data"` - `UpdatedAt Time` - `Profiles []DLPEntryCustomGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryCustomGetResponseObjectUploadStatus` - `const DLPEntryCustomGetResponseObjectUploadStatusEmpty DLPEntryCustomGetResponseObjectUploadStatus = "empty"` - `const DLPEntryCustomGetResponseObjectUploadStatusUploading DLPEntryCustomGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryCustomGetResponseObjectUploadStatusPending DLPEntryCustomGetResponseObjectUploadStatus = "pending"` - `const DLPEntryCustomGetResponseObjectUploadStatusProcessing DLPEntryCustomGetResponseObjectUploadStatus = "processing"` - `const DLPEntryCustomGetResponseObjectUploadStatusFailed DLPEntryCustomGetResponseObjectUploadStatus = "failed"` - `const DLPEntryCustomGetResponseObjectUploadStatusComplete DLPEntryCustomGetResponseObjectUploadStatus = "complete"` - `type DLPEntryCustomGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryCustomGetResponseObjectType` - `const DLPEntryCustomGetResponseObjectTypeDocumentFingerprint DLPEntryCustomGetResponseObjectType = "document_fingerprint"` - `UpdatedAt Time` - `Profiles []DLPEntryCustomGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryCustomGetResponseObjectUploadStatus` - `const DLPEntryCustomGetResponseObjectUploadStatusEmpty DLPEntryCustomGetResponseObjectUploadStatus = "empty"` - `const DLPEntryCustomGetResponseObjectUploadStatusUploading DLPEntryCustomGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryCustomGetResponseObjectUploadStatusPending DLPEntryCustomGetResponseObjectUploadStatus = "pending"` - `const DLPEntryCustomGetResponseObjectUploadStatusProcessing DLPEntryCustomGetResponseObjectUploadStatus = "processing"` - `const DLPEntryCustomGetResponseObjectUploadStatusFailed DLPEntryCustomGetResponseObjectUploadStatus = "failed"` - `const DLPEntryCustomGetResponseObjectUploadStatusComplete DLPEntryCustomGetResponseObjectUploadStatus = "complete"` - `type DLPEntryCustomGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryCustomGetResponseObjectType` - `const DLPEntryCustomGetResponseObjectTypeWordList DLPEntryCustomGetResponseObjectType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Profiles []DLPEntryCustomGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryCustomGetResponseObjectUploadStatus` - `const DLPEntryCustomGetResponseObjectUploadStatusEmpty DLPEntryCustomGetResponseObjectUploadStatus = "empty"` - `const DLPEntryCustomGetResponseObjectUploadStatusUploading DLPEntryCustomGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryCustomGetResponseObjectUploadStatusPending DLPEntryCustomGetResponseObjectUploadStatus = "pending"` - `const DLPEntryCustomGetResponseObjectUploadStatusProcessing DLPEntryCustomGetResponseObjectUploadStatus = "processing"` - `const DLPEntryCustomGetResponseObjectUploadStatusFailed DLPEntryCustomGetResponseObjectUploadStatus = "failed"` - `const DLPEntryCustomGetResponseObjectUploadStatusComplete DLPEntryCustomGetResponseObjectUploadStatus = "complete"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) custom, err := client.ZeroTrust.DLP.Entries.Custom.Get( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEntryCustomGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", custom) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## List all entries `client.ZeroTrust.DLP.Entries.Custom.List(ctx, query) (*SinglePage[DLPEntryCustomListResponse], error)` **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Parameters - `query DLPEntryCustomListParams` - `AccountID param.Field[string]` ### Returns - `type DLPEntryCustomListResponse interface{…}` - `type DLPEntryCustomListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type DLPEntryCustomListResponseObjectType` - `const DLPEntryCustomListResponseObjectTypeCustom DLPEntryCustomListResponseObjectType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `UploadStatus DLPEntryCustomListResponseObjectUploadStatus` - `const DLPEntryCustomListResponseObjectUploadStatusEmpty DLPEntryCustomListResponseObjectUploadStatus = "empty"` - `const DLPEntryCustomListResponseObjectUploadStatusUploading DLPEntryCustomListResponseObjectUploadStatus = "uploading"` - `const DLPEntryCustomListResponseObjectUploadStatusPending DLPEntryCustomListResponseObjectUploadStatus = "pending"` - `const DLPEntryCustomListResponseObjectUploadStatusProcessing DLPEntryCustomListResponseObjectUploadStatus = "processing"` - `const DLPEntryCustomListResponseObjectUploadStatusFailed DLPEntryCustomListResponseObjectUploadStatus = "failed"` - `const DLPEntryCustomListResponseObjectUploadStatusComplete DLPEntryCustomListResponseObjectUploadStatus = "complete"` - `type DLPEntryCustomListResponseObject struct{…}` - `ID string` - `Confidence DLPEntryCustomListResponseObjectConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type DLPEntryCustomListResponseObjectType` - `const DLPEntryCustomListResponseObjectTypePredefined DLPEntryCustomListResponseObjectType = "predefined"` - `ProfileID string` - `UploadStatus DLPEntryCustomListResponseObjectUploadStatus` - `const DLPEntryCustomListResponseObjectUploadStatusEmpty DLPEntryCustomListResponseObjectUploadStatus = "empty"` - `const DLPEntryCustomListResponseObjectUploadStatusUploading DLPEntryCustomListResponseObjectUploadStatus = "uploading"` - `const DLPEntryCustomListResponseObjectUploadStatusPending DLPEntryCustomListResponseObjectUploadStatus = "pending"` - `const DLPEntryCustomListResponseObjectUploadStatusProcessing DLPEntryCustomListResponseObjectUploadStatus = "processing"` - `const DLPEntryCustomListResponseObjectUploadStatusFailed DLPEntryCustomListResponseObjectUploadStatus = "failed"` - `const DLPEntryCustomListResponseObjectUploadStatusComplete DLPEntryCustomListResponseObjectUploadStatus = "complete"` - `Variant DLPEntryCustomListResponseObjectVariant` - `TopicType DLPEntryCustomListResponseObjectVariantTopicType` - `const DLPEntryCustomListResponseObjectVariantTopicTypeIntent DLPEntryCustomListResponseObjectVariantTopicType = "Intent"` - `const DLPEntryCustomListResponseObjectVariantTopicTypeContent DLPEntryCustomListResponseObjectVariantTopicType = "Content"` - `Type DLPEntryCustomListResponseObjectVariantType` - `const DLPEntryCustomListResponseObjectVariantTypePromptTopic DLPEntryCustomListResponseObjectVariantType = "PromptTopic"` - `Description string` - `type DLPEntryCustomListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryCustomListResponseObjectType` - `const DLPEntryCustomListResponseObjectTypeIntegration DLPEntryCustomListResponseObjectType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `UploadStatus DLPEntryCustomListResponseObjectUploadStatus` - `const DLPEntryCustomListResponseObjectUploadStatusEmpty DLPEntryCustomListResponseObjectUploadStatus = "empty"` - `const DLPEntryCustomListResponseObjectUploadStatusUploading DLPEntryCustomListResponseObjectUploadStatus = "uploading"` - `const DLPEntryCustomListResponseObjectUploadStatusPending DLPEntryCustomListResponseObjectUploadStatus = "pending"` - `const DLPEntryCustomListResponseObjectUploadStatusProcessing DLPEntryCustomListResponseObjectUploadStatus = "processing"` - `const DLPEntryCustomListResponseObjectUploadStatusFailed DLPEntryCustomListResponseObjectUploadStatus = "failed"` - `const DLPEntryCustomListResponseObjectUploadStatusComplete DLPEntryCustomListResponseObjectUploadStatus = "complete"` - `type DLPEntryCustomListResponseObject struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type DLPEntryCustomListResponseObjectType` - `const DLPEntryCustomListResponseObjectTypeExactData DLPEntryCustomListResponseObjectType = "exact_data"` - `UpdatedAt Time` - `UploadStatus DLPEntryCustomListResponseObjectUploadStatus` - `const DLPEntryCustomListResponseObjectUploadStatusEmpty DLPEntryCustomListResponseObjectUploadStatus = "empty"` - `const DLPEntryCustomListResponseObjectUploadStatusUploading DLPEntryCustomListResponseObjectUploadStatus = "uploading"` - `const DLPEntryCustomListResponseObjectUploadStatusPending DLPEntryCustomListResponseObjectUploadStatus = "pending"` - `const DLPEntryCustomListResponseObjectUploadStatusProcessing DLPEntryCustomListResponseObjectUploadStatus = "processing"` - `const DLPEntryCustomListResponseObjectUploadStatusFailed DLPEntryCustomListResponseObjectUploadStatus = "failed"` - `const DLPEntryCustomListResponseObjectUploadStatusComplete DLPEntryCustomListResponseObjectUploadStatus = "complete"` - `type DLPEntryCustomListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryCustomListResponseObjectType` - `const DLPEntryCustomListResponseObjectTypeDocumentFingerprint DLPEntryCustomListResponseObjectType = "document_fingerprint"` - `UpdatedAt Time` - `UploadStatus DLPEntryCustomListResponseObjectUploadStatus` - `const DLPEntryCustomListResponseObjectUploadStatusEmpty DLPEntryCustomListResponseObjectUploadStatus = "empty"` - `const DLPEntryCustomListResponseObjectUploadStatusUploading DLPEntryCustomListResponseObjectUploadStatus = "uploading"` - `const DLPEntryCustomListResponseObjectUploadStatusPending DLPEntryCustomListResponseObjectUploadStatus = "pending"` - `const DLPEntryCustomListResponseObjectUploadStatusProcessing DLPEntryCustomListResponseObjectUploadStatus = "processing"` - `const DLPEntryCustomListResponseObjectUploadStatusFailed DLPEntryCustomListResponseObjectUploadStatus = "failed"` - `const DLPEntryCustomListResponseObjectUploadStatusComplete DLPEntryCustomListResponseObjectUploadStatus = "complete"` - `type DLPEntryCustomListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryCustomListResponseObjectType` - `const DLPEntryCustomListResponseObjectTypeWordList DLPEntryCustomListResponseObjectType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `UploadStatus DLPEntryCustomListResponseObjectUploadStatus` - `const DLPEntryCustomListResponseObjectUploadStatusEmpty DLPEntryCustomListResponseObjectUploadStatus = "empty"` - `const DLPEntryCustomListResponseObjectUploadStatusUploading DLPEntryCustomListResponseObjectUploadStatus = "uploading"` - `const DLPEntryCustomListResponseObjectUploadStatusPending DLPEntryCustomListResponseObjectUploadStatus = "pending"` - `const DLPEntryCustomListResponseObjectUploadStatusProcessing DLPEntryCustomListResponseObjectUploadStatus = "processing"` - `const DLPEntryCustomListResponseObjectUploadStatusFailed DLPEntryCustomListResponseObjectUploadStatus = "failed"` - `const DLPEntryCustomListResponseObjectUploadStatusComplete DLPEntryCustomListResponseObjectUploadStatus = "complete"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DLP.Entries.Custom.List(context.TODO(), zero_trust.DLPEntryCustomListParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` # Predefined ## Create predefined entry `client.ZeroTrust.DLP.Entries.Predefined.New(ctx, params) (*DLPEntryPredefinedNewResponse, error)` **post** `/accounts/{account_id}/dlp/entries/predefined` Predefined entries can't be created, this will update an existing predefined entry. This is needed for our generated terraform API. ### Parameters - `params DLPEntryPredefinedNewParams` - `AccountID param.Field[string]` Path param - `Enabled param.Field[bool]` Body param - `EntryID param.Field[string]` Body param - `ProfileID param.Field[string]` Body param: This field is not used as the owning profile. For predefined entries it is already set to a predefined profile. ### Returns - `type DLPEntryPredefinedNewResponse struct{…}` - `ID string` - `Confidence DLPEntryPredefinedNewResponseConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `ProfileID string` - `Variant DLPEntryPredefinedNewResponseVariant` - `TopicType DLPEntryPredefinedNewResponseVariantTopicType` - `const DLPEntryPredefinedNewResponseVariantTopicTypeIntent DLPEntryPredefinedNewResponseVariantTopicType = "Intent"` - `const DLPEntryPredefinedNewResponseVariantTopicTypeContent DLPEntryPredefinedNewResponseVariantTopicType = "Content"` - `Type DLPEntryPredefinedNewResponseVariantType` - `const DLPEntryPredefinedNewResponseVariantTypePromptTopic DLPEntryPredefinedNewResponseVariantType = "PromptTopic"` - `Description string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) predefined, err := client.ZeroTrust.DLP.Entries.Predefined.New(context.TODO(), zero_trust.DLPEntryPredefinedNewParams{ AccountID: cloudflare.F("account_id"), Enabled: cloudflare.F(true), EntryID: cloudflare.F("182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", predefined.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "confidence": { "ai_context_available": true, "available": true }, "enabled": true, "name": "name", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "variant": { "topic_type": "Intent", "type": "PromptTopic", "description": "description" } } } ``` ## Update predefined entry `client.ZeroTrust.DLP.Entries.Predefined.Update(ctx, entryID, params) (*DLPEntryPredefinedUpdateResponse, error)` **put** `/accounts/{account_id}/dlp/entries/predefined/{entry_id}` Updates a DLP entry. ### Parameters - `entryID string` - `params DLPEntryPredefinedUpdateParams` - `AccountID param.Field[string]` Path param - `Enabled param.Field[bool]` Body param ### Returns - `type DLPEntryPredefinedUpdateResponse struct{…}` - `ID string` - `Confidence DLPEntryPredefinedUpdateResponseConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `ProfileID string` - `Variant DLPEntryPredefinedUpdateResponseVariant` - `TopicType DLPEntryPredefinedUpdateResponseVariantTopicType` - `const DLPEntryPredefinedUpdateResponseVariantTopicTypeIntent DLPEntryPredefinedUpdateResponseVariantTopicType = "Intent"` - `const DLPEntryPredefinedUpdateResponseVariantTopicTypeContent DLPEntryPredefinedUpdateResponseVariantTopicType = "Content"` - `Type DLPEntryPredefinedUpdateResponseVariantType` - `const DLPEntryPredefinedUpdateResponseVariantTypePromptTopic DLPEntryPredefinedUpdateResponseVariantType = "PromptTopic"` - `Description string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) predefined, err := client.ZeroTrust.DLP.Entries.Predefined.Update( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEntryPredefinedUpdateParams{ AccountID: cloudflare.F("account_id"), Enabled: cloudflare.F(true), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", predefined.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "confidence": { "ai_context_available": true, "available": true }, "enabled": true, "name": "name", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "variant": { "topic_type": "Intent", "type": "PromptTopic", "description": "description" } } } ``` ## Delete predefined entry `client.ZeroTrust.DLP.Entries.Predefined.Delete(ctx, entryID, body) (*DLPEntryPredefinedDeleteResponse, error)` **delete** `/accounts/{account_id}/dlp/entries/predefined/{entry_id}` This is a no-op as predefined entires can't be deleted but is needed for our generated terraform API. ### Parameters - `entryID string` - `body DLPEntryPredefinedDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DLPEntryPredefinedDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) predefined, err := client.ZeroTrust.DLP.Entries.Predefined.Delete( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEntryPredefinedDeleteParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", predefined) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Get DLP Entry `client.ZeroTrust.DLP.Entries.Predefined.Get(ctx, entryID, query) (*DLPEntryPredefinedGetResponse, error)` **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Parameters - `entryID string` - `query DLPEntryPredefinedGetParams` - `AccountID param.Field[string]` ### Returns - `type DLPEntryPredefinedGetResponse interface{…}` - `type DLPEntryPredefinedGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type DLPEntryPredefinedGetResponseObjectType` - `const DLPEntryPredefinedGetResponseObjectTypeCustom DLPEntryPredefinedGetResponseObjectType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `Profiles []DLPEntryPredefinedGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryPredefinedGetResponseObjectUploadStatus` - `const DLPEntryPredefinedGetResponseObjectUploadStatusEmpty DLPEntryPredefinedGetResponseObjectUploadStatus = "empty"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusUploading DLPEntryPredefinedGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusPending DLPEntryPredefinedGetResponseObjectUploadStatus = "pending"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusProcessing DLPEntryPredefinedGetResponseObjectUploadStatus = "processing"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusFailed DLPEntryPredefinedGetResponseObjectUploadStatus = "failed"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusComplete DLPEntryPredefinedGetResponseObjectUploadStatus = "complete"` - `type DLPEntryPredefinedGetResponseObject struct{…}` - `ID string` - `Confidence DLPEntryPredefinedGetResponseObjectConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type DLPEntryPredefinedGetResponseObjectType` - `const DLPEntryPredefinedGetResponseObjectTypePredefined DLPEntryPredefinedGetResponseObjectType = "predefined"` - `ProfileID string` - `Profiles []DLPEntryPredefinedGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryPredefinedGetResponseObjectUploadStatus` - `const DLPEntryPredefinedGetResponseObjectUploadStatusEmpty DLPEntryPredefinedGetResponseObjectUploadStatus = "empty"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusUploading DLPEntryPredefinedGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusPending DLPEntryPredefinedGetResponseObjectUploadStatus = "pending"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusProcessing DLPEntryPredefinedGetResponseObjectUploadStatus = "processing"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusFailed DLPEntryPredefinedGetResponseObjectUploadStatus = "failed"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusComplete DLPEntryPredefinedGetResponseObjectUploadStatus = "complete"` - `Variant DLPEntryPredefinedGetResponseObjectVariant` - `TopicType DLPEntryPredefinedGetResponseObjectVariantTopicType` - `const DLPEntryPredefinedGetResponseObjectVariantTopicTypeIntent DLPEntryPredefinedGetResponseObjectVariantTopicType = "Intent"` - `const DLPEntryPredefinedGetResponseObjectVariantTopicTypeContent DLPEntryPredefinedGetResponseObjectVariantTopicType = "Content"` - `Type DLPEntryPredefinedGetResponseObjectVariantType` - `const DLPEntryPredefinedGetResponseObjectVariantTypePromptTopic DLPEntryPredefinedGetResponseObjectVariantType = "PromptTopic"` - `Description string` - `type DLPEntryPredefinedGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryPredefinedGetResponseObjectType` - `const DLPEntryPredefinedGetResponseObjectTypeIntegration DLPEntryPredefinedGetResponseObjectType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `Profiles []DLPEntryPredefinedGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryPredefinedGetResponseObjectUploadStatus` - `const DLPEntryPredefinedGetResponseObjectUploadStatusEmpty DLPEntryPredefinedGetResponseObjectUploadStatus = "empty"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusUploading DLPEntryPredefinedGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusPending DLPEntryPredefinedGetResponseObjectUploadStatus = "pending"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusProcessing DLPEntryPredefinedGetResponseObjectUploadStatus = "processing"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusFailed DLPEntryPredefinedGetResponseObjectUploadStatus = "failed"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusComplete DLPEntryPredefinedGetResponseObjectUploadStatus = "complete"` - `type DLPEntryPredefinedGetResponseObject struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type DLPEntryPredefinedGetResponseObjectType` - `const DLPEntryPredefinedGetResponseObjectTypeExactData DLPEntryPredefinedGetResponseObjectType = "exact_data"` - `UpdatedAt Time` - `Profiles []DLPEntryPredefinedGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryPredefinedGetResponseObjectUploadStatus` - `const DLPEntryPredefinedGetResponseObjectUploadStatusEmpty DLPEntryPredefinedGetResponseObjectUploadStatus = "empty"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusUploading DLPEntryPredefinedGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusPending DLPEntryPredefinedGetResponseObjectUploadStatus = "pending"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusProcessing DLPEntryPredefinedGetResponseObjectUploadStatus = "processing"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusFailed DLPEntryPredefinedGetResponseObjectUploadStatus = "failed"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusComplete DLPEntryPredefinedGetResponseObjectUploadStatus = "complete"` - `type DLPEntryPredefinedGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryPredefinedGetResponseObjectType` - `const DLPEntryPredefinedGetResponseObjectTypeDocumentFingerprint DLPEntryPredefinedGetResponseObjectType = "document_fingerprint"` - `UpdatedAt Time` - `Profiles []DLPEntryPredefinedGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryPredefinedGetResponseObjectUploadStatus` - `const DLPEntryPredefinedGetResponseObjectUploadStatusEmpty DLPEntryPredefinedGetResponseObjectUploadStatus = "empty"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusUploading DLPEntryPredefinedGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusPending DLPEntryPredefinedGetResponseObjectUploadStatus = "pending"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusProcessing DLPEntryPredefinedGetResponseObjectUploadStatus = "processing"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusFailed DLPEntryPredefinedGetResponseObjectUploadStatus = "failed"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusComplete DLPEntryPredefinedGetResponseObjectUploadStatus = "complete"` - `type DLPEntryPredefinedGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryPredefinedGetResponseObjectType` - `const DLPEntryPredefinedGetResponseObjectTypeWordList DLPEntryPredefinedGetResponseObjectType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Profiles []DLPEntryPredefinedGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryPredefinedGetResponseObjectUploadStatus` - `const DLPEntryPredefinedGetResponseObjectUploadStatusEmpty DLPEntryPredefinedGetResponseObjectUploadStatus = "empty"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusUploading DLPEntryPredefinedGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusPending DLPEntryPredefinedGetResponseObjectUploadStatus = "pending"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusProcessing DLPEntryPredefinedGetResponseObjectUploadStatus = "processing"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusFailed DLPEntryPredefinedGetResponseObjectUploadStatus = "failed"` - `const DLPEntryPredefinedGetResponseObjectUploadStatusComplete DLPEntryPredefinedGetResponseObjectUploadStatus = "complete"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) predefined, err := client.ZeroTrust.DLP.Entries.Predefined.Get( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEntryPredefinedGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", predefined) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## List all entries `client.ZeroTrust.DLP.Entries.Predefined.List(ctx, query) (*SinglePage[DLPEntryPredefinedListResponse], error)` **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Parameters - `query DLPEntryPredefinedListParams` - `AccountID param.Field[string]` ### Returns - `type DLPEntryPredefinedListResponse interface{…}` - `type DLPEntryPredefinedListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type DLPEntryPredefinedListResponseObjectType` - `const DLPEntryPredefinedListResponseObjectTypeCustom DLPEntryPredefinedListResponseObjectType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `UploadStatus DLPEntryPredefinedListResponseObjectUploadStatus` - `const DLPEntryPredefinedListResponseObjectUploadStatusEmpty DLPEntryPredefinedListResponseObjectUploadStatus = "empty"` - `const DLPEntryPredefinedListResponseObjectUploadStatusUploading DLPEntryPredefinedListResponseObjectUploadStatus = "uploading"` - `const DLPEntryPredefinedListResponseObjectUploadStatusPending DLPEntryPredefinedListResponseObjectUploadStatus = "pending"` - `const DLPEntryPredefinedListResponseObjectUploadStatusProcessing DLPEntryPredefinedListResponseObjectUploadStatus = "processing"` - `const DLPEntryPredefinedListResponseObjectUploadStatusFailed DLPEntryPredefinedListResponseObjectUploadStatus = "failed"` - `const DLPEntryPredefinedListResponseObjectUploadStatusComplete DLPEntryPredefinedListResponseObjectUploadStatus = "complete"` - `type DLPEntryPredefinedListResponseObject struct{…}` - `ID string` - `Confidence DLPEntryPredefinedListResponseObjectConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type DLPEntryPredefinedListResponseObjectType` - `const DLPEntryPredefinedListResponseObjectTypePredefined DLPEntryPredefinedListResponseObjectType = "predefined"` - `ProfileID string` - `UploadStatus DLPEntryPredefinedListResponseObjectUploadStatus` - `const DLPEntryPredefinedListResponseObjectUploadStatusEmpty DLPEntryPredefinedListResponseObjectUploadStatus = "empty"` - `const DLPEntryPredefinedListResponseObjectUploadStatusUploading DLPEntryPredefinedListResponseObjectUploadStatus = "uploading"` - `const DLPEntryPredefinedListResponseObjectUploadStatusPending DLPEntryPredefinedListResponseObjectUploadStatus = "pending"` - `const DLPEntryPredefinedListResponseObjectUploadStatusProcessing DLPEntryPredefinedListResponseObjectUploadStatus = "processing"` - `const DLPEntryPredefinedListResponseObjectUploadStatusFailed DLPEntryPredefinedListResponseObjectUploadStatus = "failed"` - `const DLPEntryPredefinedListResponseObjectUploadStatusComplete DLPEntryPredefinedListResponseObjectUploadStatus = "complete"` - `Variant DLPEntryPredefinedListResponseObjectVariant` - `TopicType DLPEntryPredefinedListResponseObjectVariantTopicType` - `const DLPEntryPredefinedListResponseObjectVariantTopicTypeIntent DLPEntryPredefinedListResponseObjectVariantTopicType = "Intent"` - `const DLPEntryPredefinedListResponseObjectVariantTopicTypeContent DLPEntryPredefinedListResponseObjectVariantTopicType = "Content"` - `Type DLPEntryPredefinedListResponseObjectVariantType` - `const DLPEntryPredefinedListResponseObjectVariantTypePromptTopic DLPEntryPredefinedListResponseObjectVariantType = "PromptTopic"` - `Description string` - `type DLPEntryPredefinedListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryPredefinedListResponseObjectType` - `const DLPEntryPredefinedListResponseObjectTypeIntegration DLPEntryPredefinedListResponseObjectType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `UploadStatus DLPEntryPredefinedListResponseObjectUploadStatus` - `const DLPEntryPredefinedListResponseObjectUploadStatusEmpty DLPEntryPredefinedListResponseObjectUploadStatus = "empty"` - `const DLPEntryPredefinedListResponseObjectUploadStatusUploading DLPEntryPredefinedListResponseObjectUploadStatus = "uploading"` - `const DLPEntryPredefinedListResponseObjectUploadStatusPending DLPEntryPredefinedListResponseObjectUploadStatus = "pending"` - `const DLPEntryPredefinedListResponseObjectUploadStatusProcessing DLPEntryPredefinedListResponseObjectUploadStatus = "processing"` - `const DLPEntryPredefinedListResponseObjectUploadStatusFailed DLPEntryPredefinedListResponseObjectUploadStatus = "failed"` - `const DLPEntryPredefinedListResponseObjectUploadStatusComplete DLPEntryPredefinedListResponseObjectUploadStatus = "complete"` - `type DLPEntryPredefinedListResponseObject struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type DLPEntryPredefinedListResponseObjectType` - `const DLPEntryPredefinedListResponseObjectTypeExactData DLPEntryPredefinedListResponseObjectType = "exact_data"` - `UpdatedAt Time` - `UploadStatus DLPEntryPredefinedListResponseObjectUploadStatus` - `const DLPEntryPredefinedListResponseObjectUploadStatusEmpty DLPEntryPredefinedListResponseObjectUploadStatus = "empty"` - `const DLPEntryPredefinedListResponseObjectUploadStatusUploading DLPEntryPredefinedListResponseObjectUploadStatus = "uploading"` - `const DLPEntryPredefinedListResponseObjectUploadStatusPending DLPEntryPredefinedListResponseObjectUploadStatus = "pending"` - `const DLPEntryPredefinedListResponseObjectUploadStatusProcessing DLPEntryPredefinedListResponseObjectUploadStatus = "processing"` - `const DLPEntryPredefinedListResponseObjectUploadStatusFailed DLPEntryPredefinedListResponseObjectUploadStatus = "failed"` - `const DLPEntryPredefinedListResponseObjectUploadStatusComplete DLPEntryPredefinedListResponseObjectUploadStatus = "complete"` - `type DLPEntryPredefinedListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryPredefinedListResponseObjectType` - `const DLPEntryPredefinedListResponseObjectTypeDocumentFingerprint DLPEntryPredefinedListResponseObjectType = "document_fingerprint"` - `UpdatedAt Time` - `UploadStatus DLPEntryPredefinedListResponseObjectUploadStatus` - `const DLPEntryPredefinedListResponseObjectUploadStatusEmpty DLPEntryPredefinedListResponseObjectUploadStatus = "empty"` - `const DLPEntryPredefinedListResponseObjectUploadStatusUploading DLPEntryPredefinedListResponseObjectUploadStatus = "uploading"` - `const DLPEntryPredefinedListResponseObjectUploadStatusPending DLPEntryPredefinedListResponseObjectUploadStatus = "pending"` - `const DLPEntryPredefinedListResponseObjectUploadStatusProcessing DLPEntryPredefinedListResponseObjectUploadStatus = "processing"` - `const DLPEntryPredefinedListResponseObjectUploadStatusFailed DLPEntryPredefinedListResponseObjectUploadStatus = "failed"` - `const DLPEntryPredefinedListResponseObjectUploadStatusComplete DLPEntryPredefinedListResponseObjectUploadStatus = "complete"` - `type DLPEntryPredefinedListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryPredefinedListResponseObjectType` - `const DLPEntryPredefinedListResponseObjectTypeWordList DLPEntryPredefinedListResponseObjectType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `UploadStatus DLPEntryPredefinedListResponseObjectUploadStatus` - `const DLPEntryPredefinedListResponseObjectUploadStatusEmpty DLPEntryPredefinedListResponseObjectUploadStatus = "empty"` - `const DLPEntryPredefinedListResponseObjectUploadStatusUploading DLPEntryPredefinedListResponseObjectUploadStatus = "uploading"` - `const DLPEntryPredefinedListResponseObjectUploadStatusPending DLPEntryPredefinedListResponseObjectUploadStatus = "pending"` - `const DLPEntryPredefinedListResponseObjectUploadStatusProcessing DLPEntryPredefinedListResponseObjectUploadStatus = "processing"` - `const DLPEntryPredefinedListResponseObjectUploadStatusFailed DLPEntryPredefinedListResponseObjectUploadStatus = "failed"` - `const DLPEntryPredefinedListResponseObjectUploadStatusComplete DLPEntryPredefinedListResponseObjectUploadStatus = "complete"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DLP.Entries.Predefined.List(context.TODO(), zero_trust.DLPEntryPredefinedListParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` # Integration ## Create integration entry `client.ZeroTrust.DLP.Entries.Integration.New(ctx, params) (*DLPEntryIntegrationNewResponse, error)` **post** `/accounts/{account_id}/dlp/entries/integration` Integration entries can't be created, this will update an existing integration entry. This is needed for our generated terraform API. ### Parameters - `params DLPEntryIntegrationNewParams` - `AccountID param.Field[string]` Path param - `Enabled param.Field[bool]` Body param - `EntryID param.Field[string]` Body param - `ProfileID param.Field[string]` Body param: This field is not used as the owning profile. For predefined entries it is already set to a predefined profile. ### Returns - `type DLPEntryIntegrationNewResponse struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `UpdatedAt Time` - `ProfileID string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) integration, err := client.ZeroTrust.DLP.Entries.Integration.New(context.TODO(), zero_trust.DLPEntryIntegrationNewParams{ AccountID: cloudflare.F("account_id"), Enabled: cloudflare.F(true), EntryID: cloudflare.F("182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", integration.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "updated_at": "2019-12-27T18:11:19.117Z", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Update integration entry `client.ZeroTrust.DLP.Entries.Integration.Update(ctx, entryID, params) (*DLPEntryIntegrationUpdateResponse, error)` **put** `/accounts/{account_id}/dlp/entries/integration/{entry_id}` Updates a DLP entry. ### Parameters - `entryID string` - `params DLPEntryIntegrationUpdateParams` - `AccountID param.Field[string]` Path param - `Enabled param.Field[bool]` Body param ### Returns - `type DLPEntryIntegrationUpdateResponse struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `UpdatedAt Time` - `ProfileID string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) integration, err := client.ZeroTrust.DLP.Entries.Integration.Update( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEntryIntegrationUpdateParams{ AccountID: cloudflare.F("account_id"), Enabled: cloudflare.F(true), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", integration.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "updated_at": "2019-12-27T18:11:19.117Z", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Delete integration entry `client.ZeroTrust.DLP.Entries.Integration.Delete(ctx, entryID, body) (*DLPEntryIntegrationDeleteResponse, error)` **delete** `/accounts/{account_id}/dlp/entries/integration/{entry_id}` This is a no-op as integration entires can't be deleted but is needed for our generated terraform API. ### Parameters - `entryID string` - `body DLPEntryIntegrationDeleteParams` - `AccountID param.Field[string]` ### Returns - `type DLPEntryIntegrationDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) integration, err := client.ZeroTrust.DLP.Entries.Integration.Delete( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEntryIntegrationDeleteParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", integration) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Get DLP Entry `client.ZeroTrust.DLP.Entries.Integration.Get(ctx, entryID, query) (*DLPEntryIntegrationGetResponse, error)` **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Parameters - `entryID string` - `query DLPEntryIntegrationGetParams` - `AccountID param.Field[string]` ### Returns - `type DLPEntryIntegrationGetResponse interface{…}` - `type DLPEntryIntegrationGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type DLPEntryIntegrationGetResponseObjectType` - `const DLPEntryIntegrationGetResponseObjectTypeCustom DLPEntryIntegrationGetResponseObjectType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `Profiles []DLPEntryIntegrationGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryIntegrationGetResponseObjectUploadStatus` - `const DLPEntryIntegrationGetResponseObjectUploadStatusEmpty DLPEntryIntegrationGetResponseObjectUploadStatus = "empty"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusUploading DLPEntryIntegrationGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusPending DLPEntryIntegrationGetResponseObjectUploadStatus = "pending"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusProcessing DLPEntryIntegrationGetResponseObjectUploadStatus = "processing"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusFailed DLPEntryIntegrationGetResponseObjectUploadStatus = "failed"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusComplete DLPEntryIntegrationGetResponseObjectUploadStatus = "complete"` - `type DLPEntryIntegrationGetResponseObject struct{…}` - `ID string` - `Confidence DLPEntryIntegrationGetResponseObjectConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type DLPEntryIntegrationGetResponseObjectType` - `const DLPEntryIntegrationGetResponseObjectTypePredefined DLPEntryIntegrationGetResponseObjectType = "predefined"` - `ProfileID string` - `Profiles []DLPEntryIntegrationGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryIntegrationGetResponseObjectUploadStatus` - `const DLPEntryIntegrationGetResponseObjectUploadStatusEmpty DLPEntryIntegrationGetResponseObjectUploadStatus = "empty"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusUploading DLPEntryIntegrationGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusPending DLPEntryIntegrationGetResponseObjectUploadStatus = "pending"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusProcessing DLPEntryIntegrationGetResponseObjectUploadStatus = "processing"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusFailed DLPEntryIntegrationGetResponseObjectUploadStatus = "failed"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusComplete DLPEntryIntegrationGetResponseObjectUploadStatus = "complete"` - `Variant DLPEntryIntegrationGetResponseObjectVariant` - `TopicType DLPEntryIntegrationGetResponseObjectVariantTopicType` - `const DLPEntryIntegrationGetResponseObjectVariantTopicTypeIntent DLPEntryIntegrationGetResponseObjectVariantTopicType = "Intent"` - `const DLPEntryIntegrationGetResponseObjectVariantTopicTypeContent DLPEntryIntegrationGetResponseObjectVariantTopicType = "Content"` - `Type DLPEntryIntegrationGetResponseObjectVariantType` - `const DLPEntryIntegrationGetResponseObjectVariantTypePromptTopic DLPEntryIntegrationGetResponseObjectVariantType = "PromptTopic"` - `Description string` - `type DLPEntryIntegrationGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryIntegrationGetResponseObjectType` - `const DLPEntryIntegrationGetResponseObjectTypeIntegration DLPEntryIntegrationGetResponseObjectType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `Profiles []DLPEntryIntegrationGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryIntegrationGetResponseObjectUploadStatus` - `const DLPEntryIntegrationGetResponseObjectUploadStatusEmpty DLPEntryIntegrationGetResponseObjectUploadStatus = "empty"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusUploading DLPEntryIntegrationGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusPending DLPEntryIntegrationGetResponseObjectUploadStatus = "pending"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusProcessing DLPEntryIntegrationGetResponseObjectUploadStatus = "processing"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusFailed DLPEntryIntegrationGetResponseObjectUploadStatus = "failed"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusComplete DLPEntryIntegrationGetResponseObjectUploadStatus = "complete"` - `type DLPEntryIntegrationGetResponseObject struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type DLPEntryIntegrationGetResponseObjectType` - `const DLPEntryIntegrationGetResponseObjectTypeExactData DLPEntryIntegrationGetResponseObjectType = "exact_data"` - `UpdatedAt Time` - `Profiles []DLPEntryIntegrationGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryIntegrationGetResponseObjectUploadStatus` - `const DLPEntryIntegrationGetResponseObjectUploadStatusEmpty DLPEntryIntegrationGetResponseObjectUploadStatus = "empty"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusUploading DLPEntryIntegrationGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusPending DLPEntryIntegrationGetResponseObjectUploadStatus = "pending"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusProcessing DLPEntryIntegrationGetResponseObjectUploadStatus = "processing"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusFailed DLPEntryIntegrationGetResponseObjectUploadStatus = "failed"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusComplete DLPEntryIntegrationGetResponseObjectUploadStatus = "complete"` - `type DLPEntryIntegrationGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryIntegrationGetResponseObjectType` - `const DLPEntryIntegrationGetResponseObjectTypeDocumentFingerprint DLPEntryIntegrationGetResponseObjectType = "document_fingerprint"` - `UpdatedAt Time` - `Profiles []DLPEntryIntegrationGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryIntegrationGetResponseObjectUploadStatus` - `const DLPEntryIntegrationGetResponseObjectUploadStatusEmpty DLPEntryIntegrationGetResponseObjectUploadStatus = "empty"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusUploading DLPEntryIntegrationGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusPending DLPEntryIntegrationGetResponseObjectUploadStatus = "pending"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusProcessing DLPEntryIntegrationGetResponseObjectUploadStatus = "processing"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusFailed DLPEntryIntegrationGetResponseObjectUploadStatus = "failed"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusComplete DLPEntryIntegrationGetResponseObjectUploadStatus = "complete"` - `type DLPEntryIntegrationGetResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryIntegrationGetResponseObjectType` - `const DLPEntryIntegrationGetResponseObjectTypeWordList DLPEntryIntegrationGetResponseObjectType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `Profiles []DLPEntryIntegrationGetResponseObjectProfile` - `ID string` - `Name string` - `UploadStatus DLPEntryIntegrationGetResponseObjectUploadStatus` - `const DLPEntryIntegrationGetResponseObjectUploadStatusEmpty DLPEntryIntegrationGetResponseObjectUploadStatus = "empty"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusUploading DLPEntryIntegrationGetResponseObjectUploadStatus = "uploading"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusPending DLPEntryIntegrationGetResponseObjectUploadStatus = "pending"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusProcessing DLPEntryIntegrationGetResponseObjectUploadStatus = "processing"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusFailed DLPEntryIntegrationGetResponseObjectUploadStatus = "failed"` - `const DLPEntryIntegrationGetResponseObjectUploadStatusComplete DLPEntryIntegrationGetResponseObjectUploadStatus = "complete"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) integration, err := client.ZeroTrust.DLP.Entries.Integration.Get( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.DLPEntryIntegrationGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", integration) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## List all entries `client.ZeroTrust.DLP.Entries.Integration.List(ctx, query) (*SinglePage[DLPEntryIntegrationListResponse], error)` **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Parameters - `query DLPEntryIntegrationListParams` - `AccountID param.Field[string]` ### Returns - `type DLPEntryIntegrationListResponse interface{…}` - `type DLPEntryIntegrationListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Pattern Pattern` - `Regex string` - `Validation PatternValidation` - `const PatternValidationLuhn PatternValidation = "luhn"` - `Type DLPEntryIntegrationListResponseObjectType` - `const DLPEntryIntegrationListResponseObjectTypeCustom DLPEntryIntegrationListResponseObjectType = "custom"` - `UpdatedAt Time` - `Description string` - `ProfileID string` - `UploadStatus DLPEntryIntegrationListResponseObjectUploadStatus` - `const DLPEntryIntegrationListResponseObjectUploadStatusEmpty DLPEntryIntegrationListResponseObjectUploadStatus = "empty"` - `const DLPEntryIntegrationListResponseObjectUploadStatusUploading DLPEntryIntegrationListResponseObjectUploadStatus = "uploading"` - `const DLPEntryIntegrationListResponseObjectUploadStatusPending DLPEntryIntegrationListResponseObjectUploadStatus = "pending"` - `const DLPEntryIntegrationListResponseObjectUploadStatusProcessing DLPEntryIntegrationListResponseObjectUploadStatus = "processing"` - `const DLPEntryIntegrationListResponseObjectUploadStatusFailed DLPEntryIntegrationListResponseObjectUploadStatus = "failed"` - `const DLPEntryIntegrationListResponseObjectUploadStatusComplete DLPEntryIntegrationListResponseObjectUploadStatus = "complete"` - `type DLPEntryIntegrationListResponseObject struct{…}` - `ID string` - `Confidence DLPEntryIntegrationListResponseObjectConfidence` - `AIContextAvailable bool` Indicates whether this entry has AI remote service validation. - `Available bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `Enabled bool` - `Name string` - `Type DLPEntryIntegrationListResponseObjectType` - `const DLPEntryIntegrationListResponseObjectTypePredefined DLPEntryIntegrationListResponseObjectType = "predefined"` - `ProfileID string` - `UploadStatus DLPEntryIntegrationListResponseObjectUploadStatus` - `const DLPEntryIntegrationListResponseObjectUploadStatusEmpty DLPEntryIntegrationListResponseObjectUploadStatus = "empty"` - `const DLPEntryIntegrationListResponseObjectUploadStatusUploading DLPEntryIntegrationListResponseObjectUploadStatus = "uploading"` - `const DLPEntryIntegrationListResponseObjectUploadStatusPending DLPEntryIntegrationListResponseObjectUploadStatus = "pending"` - `const DLPEntryIntegrationListResponseObjectUploadStatusProcessing DLPEntryIntegrationListResponseObjectUploadStatus = "processing"` - `const DLPEntryIntegrationListResponseObjectUploadStatusFailed DLPEntryIntegrationListResponseObjectUploadStatus = "failed"` - `const DLPEntryIntegrationListResponseObjectUploadStatusComplete DLPEntryIntegrationListResponseObjectUploadStatus = "complete"` - `Variant DLPEntryIntegrationListResponseObjectVariant` - `TopicType DLPEntryIntegrationListResponseObjectVariantTopicType` - `const DLPEntryIntegrationListResponseObjectVariantTopicTypeIntent DLPEntryIntegrationListResponseObjectVariantTopicType = "Intent"` - `const DLPEntryIntegrationListResponseObjectVariantTopicTypeContent DLPEntryIntegrationListResponseObjectVariantTopicType = "Content"` - `Type DLPEntryIntegrationListResponseObjectVariantType` - `const DLPEntryIntegrationListResponseObjectVariantTypePromptTopic DLPEntryIntegrationListResponseObjectVariantType = "PromptTopic"` - `Description string` - `type DLPEntryIntegrationListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryIntegrationListResponseObjectType` - `const DLPEntryIntegrationListResponseObjectTypeIntegration DLPEntryIntegrationListResponseObjectType = "integration"` - `UpdatedAt Time` - `ProfileID string` - `UploadStatus DLPEntryIntegrationListResponseObjectUploadStatus` - `const DLPEntryIntegrationListResponseObjectUploadStatusEmpty DLPEntryIntegrationListResponseObjectUploadStatus = "empty"` - `const DLPEntryIntegrationListResponseObjectUploadStatusUploading DLPEntryIntegrationListResponseObjectUploadStatus = "uploading"` - `const DLPEntryIntegrationListResponseObjectUploadStatusPending DLPEntryIntegrationListResponseObjectUploadStatus = "pending"` - `const DLPEntryIntegrationListResponseObjectUploadStatusProcessing DLPEntryIntegrationListResponseObjectUploadStatus = "processing"` - `const DLPEntryIntegrationListResponseObjectUploadStatusFailed DLPEntryIntegrationListResponseObjectUploadStatus = "failed"` - `const DLPEntryIntegrationListResponseObjectUploadStatusComplete DLPEntryIntegrationListResponseObjectUploadStatus = "complete"` - `type DLPEntryIntegrationListResponseObject struct{…}` - `ID string` - `CaseSensitive bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `CreatedAt Time` - `Enabled bool` - `Name string` - `Secret bool` - `Type DLPEntryIntegrationListResponseObjectType` - `const DLPEntryIntegrationListResponseObjectTypeExactData DLPEntryIntegrationListResponseObjectType = "exact_data"` - `UpdatedAt Time` - `UploadStatus DLPEntryIntegrationListResponseObjectUploadStatus` - `const DLPEntryIntegrationListResponseObjectUploadStatusEmpty DLPEntryIntegrationListResponseObjectUploadStatus = "empty"` - `const DLPEntryIntegrationListResponseObjectUploadStatusUploading DLPEntryIntegrationListResponseObjectUploadStatus = "uploading"` - `const DLPEntryIntegrationListResponseObjectUploadStatusPending DLPEntryIntegrationListResponseObjectUploadStatus = "pending"` - `const DLPEntryIntegrationListResponseObjectUploadStatusProcessing DLPEntryIntegrationListResponseObjectUploadStatus = "processing"` - `const DLPEntryIntegrationListResponseObjectUploadStatusFailed DLPEntryIntegrationListResponseObjectUploadStatus = "failed"` - `const DLPEntryIntegrationListResponseObjectUploadStatusComplete DLPEntryIntegrationListResponseObjectUploadStatus = "complete"` - `type DLPEntryIntegrationListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryIntegrationListResponseObjectType` - `const DLPEntryIntegrationListResponseObjectTypeDocumentFingerprint DLPEntryIntegrationListResponseObjectType = "document_fingerprint"` - `UpdatedAt Time` - `UploadStatus DLPEntryIntegrationListResponseObjectUploadStatus` - `const DLPEntryIntegrationListResponseObjectUploadStatusEmpty DLPEntryIntegrationListResponseObjectUploadStatus = "empty"` - `const DLPEntryIntegrationListResponseObjectUploadStatusUploading DLPEntryIntegrationListResponseObjectUploadStatus = "uploading"` - `const DLPEntryIntegrationListResponseObjectUploadStatusPending DLPEntryIntegrationListResponseObjectUploadStatus = "pending"` - `const DLPEntryIntegrationListResponseObjectUploadStatusProcessing DLPEntryIntegrationListResponseObjectUploadStatus = "processing"` - `const DLPEntryIntegrationListResponseObjectUploadStatusFailed DLPEntryIntegrationListResponseObjectUploadStatus = "failed"` - `const DLPEntryIntegrationListResponseObjectUploadStatusComplete DLPEntryIntegrationListResponseObjectUploadStatus = "complete"` - `type DLPEntryIntegrationListResponseObject struct{…}` - `ID string` - `CreatedAt Time` - `Enabled bool` - `Name string` - `Type DLPEntryIntegrationListResponseObjectType` - `const DLPEntryIntegrationListResponseObjectTypeWordList DLPEntryIntegrationListResponseObjectType = "word_list"` - `UpdatedAt Time` - `WordList unknown` - `ProfileID string` - `UploadStatus DLPEntryIntegrationListResponseObjectUploadStatus` - `const DLPEntryIntegrationListResponseObjectUploadStatusEmpty DLPEntryIntegrationListResponseObjectUploadStatus = "empty"` - `const DLPEntryIntegrationListResponseObjectUploadStatusUploading DLPEntryIntegrationListResponseObjectUploadStatus = "uploading"` - `const DLPEntryIntegrationListResponseObjectUploadStatusPending DLPEntryIntegrationListResponseObjectUploadStatus = "pending"` - `const DLPEntryIntegrationListResponseObjectUploadStatusProcessing DLPEntryIntegrationListResponseObjectUploadStatus = "processing"` - `const DLPEntryIntegrationListResponseObjectUploadStatusFailed DLPEntryIntegrationListResponseObjectUploadStatus = "failed"` - `const DLPEntryIntegrationListResponseObjectUploadStatusComplete DLPEntryIntegrationListResponseObjectUploadStatus = "complete"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.DLP.Entries.Integration.List(context.TODO(), zero_trust.DLPEntryIntegrationListParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` # Gateway ## Get Zero Trust account information `client.ZeroTrust.Gateway.List(ctx, query) (*GatewayListResponse, error)` **get** `/accounts/{account_id}/gateway` Retrieve information about the current Zero Trust account. ### Parameters - `query GatewayListParams` - `AccountID param.Field[string]` ### Returns - `type GatewayListResponse struct{…}` - `ID string` Specify the Cloudflare account ID. - `GatewayTag string` Specify the gateway internal ID. - `ProviderName string` Specify the provider name (usually Cloudflare). ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gateways, err := client.ZeroTrust.Gateway.List(context.TODO(), zero_trust.GatewayListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gateways.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "699d98642c564d2e855e9661899b7252", "gateway_tag": "f174e90afafe4643bbbc4a0ed4fc8415", "provider_name": "Cloudflare" } } ``` ## Create Zero Trust account `client.ZeroTrust.Gateway.New(ctx, body) (*GatewayNewResponse, error)` **post** `/accounts/{account_id}/gateway` Create a Zero Trust account for an existing Cloudflare account. ### Parameters - `body GatewayNewParams` - `AccountID param.Field[string]` ### Returns - `type GatewayNewResponse struct{…}` - `ID string` Specify the Cloudflare account ID. - `GatewayTag string` Specify the gateway internal ID. - `ProviderName string` Specify the provider name (usually Cloudflare). ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gateway, err := client.ZeroTrust.Gateway.New(context.TODO(), zero_trust.GatewayNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gateway.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "699d98642c564d2e855e9661899b7252", "gateway_tag": "f174e90afafe4643bbbc4a0ed4fc8415", "provider_name": "Cloudflare" } } ``` # Audit SSH Settings ## Get Zero Trust SSH settings `client.ZeroTrust.Gateway.AuditSSHSettings.Get(ctx, query) (*GatewaySettings, error)` **get** `/accounts/{account_id}/gateway/audit_ssh_settings` Retrieve all Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account. ### Parameters - `query GatewayAuditSSHSettingGetParams` - `AccountID param.Field[string]` ### Returns - `type GatewaySettings struct{…}` - `CreatedAt Time` - `PublicKey string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `SeedID string` Identify the seed ID. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewaySettings, err := client.ZeroTrust.Gateway.AuditSSHSettings.Get(context.TODO(), zero_trust.GatewayAuditSSHSettingGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewaySettings.SeedID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust SSH settings `client.ZeroTrust.Gateway.AuditSSHSettings.Update(ctx, params) (*GatewaySettings, error)` **put** `/accounts/{account_id}/gateway/audit_ssh_settings` Update Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account. ### Parameters - `params GatewayAuditSSHSettingUpdateParams` - `AccountID param.Field[string]` Path param - `PublicKey param.Field[string]` Body param: Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. ### Returns - `type GatewaySettings struct{…}` - `CreatedAt Time` - `PublicKey string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `SeedID string` Identify the seed ID. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewaySettings, err := client.ZeroTrust.Gateway.AuditSSHSettings.Update(context.TODO(), zero_trust.GatewayAuditSSHSettingUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), PublicKey: cloudflare.F("1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA="), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewaySettings.SeedID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Rotate Zero Trust SSH account seed `client.ZeroTrust.Gateway.AuditSSHSettings.RotateSeed(ctx, body) (*GatewaySettings, error)` **post** `/accounts/{account_id}/gateway/audit_ssh_settings/rotate_seed` Rotate the SSH account seed that generates the host key identity when connecting through the Cloudflare SSH Proxy. ### Parameters - `body GatewayAuditSSHSettingRotateSeedParams` - `AccountID param.Field[string]` ### Returns - `type GatewaySettings struct{…}` - `CreatedAt Time` - `PublicKey string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `SeedID string` Identify the seed ID. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewaySettings, err := client.ZeroTrust.Gateway.AuditSSHSettings.RotateSeed(context.TODO(), zero_trust.GatewayAuditSSHSettingRotateSeedParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewaySettings.SeedID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Gateway Settings - `type GatewaySettings struct{…}` - `CreatedAt Time` - `PublicKey string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `SeedID string` Identify the seed ID. - `UpdatedAt Time` # Categories ## List categories `client.ZeroTrust.Gateway.Categories.List(ctx, query) (*SinglePage[Category], error)` **get** `/accounts/{account_id}/gateway/categories` List all categories. ### Parameters - `query GatewayCategoryListParams` - `AccountID param.Field[string]` Provide the identifier string. ### Returns - `type Category struct{…}` - `ID int64` Identify this category. Only one category per ID. - `Beta bool` Indicate whether the category is in beta and subject to change. - `Class CategoryClass` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `const CategoryClassFree CategoryClass = "free"` - `const CategoryClassPremium CategoryClass = "premium"` - `const CategoryClassBlocked CategoryClass = "blocked"` - `const CategoryClassRemovalPending CategoryClass = "removalPending"` - `const CategoryClassNoBlock CategoryClass = "noBlock"` - `Description string` Provide a short summary of domains in the category. - `Name string` Specify the category name. - `Subcategories []CategorySubcategory` Provide all subcategories for this category. - `ID int64` Identify this category. Only one category per ID. - `Beta bool` Indicate whether the category is in beta and subject to change. - `Class CategorySubcategoriesClass` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `const CategorySubcategoriesClassFree CategorySubcategoriesClass = "free"` - `const CategorySubcategoriesClassPremium CategorySubcategoriesClass = "premium"` - `const CategorySubcategoriesClassBlocked CategorySubcategoriesClass = "blocked"` - `const CategorySubcategoriesClassRemovalPending CategorySubcategoriesClass = "removalPending"` - `const CategorySubcategoriesClassNoBlock CategorySubcategoriesClass = "noBlock"` - `Description string` Provide a short summary of domains in the category. - `Name string` Specify the category name. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Categories.List(context.TODO(), zero_trust.GatewayCategoryListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": 0, "beta": false, "class": "premium", "description": "Sites related to educational content that are not included in other categories such as Science, Technology or Educational institutions.", "name": "Education", "subcategories": [ { "id": 0, "beta": false, "class": "premium", "description": "Sites related to educational content that are not included in other categories such as Science, Technology or Educational institutions.", "name": "Education" } ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Category - `type Category struct{…}` - `ID int64` Identify this category. Only one category per ID. - `Beta bool` Indicate whether the category is in beta and subject to change. - `Class CategoryClass` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `const CategoryClassFree CategoryClass = "free"` - `const CategoryClassPremium CategoryClass = "premium"` - `const CategoryClassBlocked CategoryClass = "blocked"` - `const CategoryClassRemovalPending CategoryClass = "removalPending"` - `const CategoryClassNoBlock CategoryClass = "noBlock"` - `Description string` Provide a short summary of domains in the category. - `Name string` Specify the category name. - `Subcategories []CategorySubcategory` Provide all subcategories for this category. - `ID int64` Identify this category. Only one category per ID. - `Beta bool` Indicate whether the category is in beta and subject to change. - `Class CategorySubcategoriesClass` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `const CategorySubcategoriesClassFree CategorySubcategoriesClass = "free"` - `const CategorySubcategoriesClassPremium CategorySubcategoriesClass = "premium"` - `const CategorySubcategoriesClassBlocked CategorySubcategoriesClass = "blocked"` - `const CategorySubcategoriesClassRemovalPending CategorySubcategoriesClass = "removalPending"` - `const CategorySubcategoriesClassNoBlock CategorySubcategoriesClass = "noBlock"` - `Description string` Provide a short summary of domains in the category. - `Name string` Specify the category name. # App Types ## List application and application type mappings `client.ZeroTrust.Gateway.AppTypes.List(ctx, query) (*SinglePage[AppType], error)` **get** `/accounts/{account_id}/gateway/app_types` List all application and application type mappings. ### Parameters - `query GatewayAppTypeListParams` - `AccountID param.Field[string]` Provide the identifier string. ### Returns - `type AppType interface{…}` - `type AppTypeZeroTrustGatewayApplication struct{…}` - `ID int64` Identify this application. Only one application per ID. - `ApplicationTypeID int64` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `CreatedAt Time` - `Name string` Specify the name of the application or application type. - `type AppTypeZeroTrustGatewayApplicationType struct{…}` - `ID int64` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `CreatedAt Time` - `Description string` Provide a short summary of applications with this type. - `Name string` Specify the name of the application or application type. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.AppTypes.List(context.TODO(), zero_trust.GatewayAppTypeListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": 0, "application_type_id": 0, "created_at": "2014-01-01T05:20:00.12345Z", "name": "Facebook" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### App Type - `type AppType interface{…}` - `type AppTypeZeroTrustGatewayApplication struct{…}` - `ID int64` Identify this application. Only one application per ID. - `ApplicationTypeID int64` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `CreatedAt Time` - `Name string` Specify the name of the application or application type. - `type AppTypeZeroTrustGatewayApplicationType struct{…}` - `ID int64` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `CreatedAt Time` - `Description string` Provide a short summary of applications with this type. - `Name string` Specify the name of the application or application type. # Configurations ## Get Zero Trust account configuration `client.ZeroTrust.Gateway.Configurations.Get(ctx, query) (*GatewayConfigurationGetResponse, error)` **get** `/accounts/{account_id}/gateway/configuration` Retrieve the current Zero Trust account configuration. ### Parameters - `query GatewayConfigurationGetParams` - `AccountID param.Field[string]` ### Returns - `type GatewayConfigurationGetResponse struct{…}` Specify account settings. - `CreatedAt Time` - `Settings GatewayConfigurationSettings` Specify account settings. - `ActivityLog ActivityLogSettings` Specify activity log settings. - `Enabled bool` Specify whether to log activity. - `Antivirus AntiVirusSettings` Specify anti-virus settings. - `EnabledDownloadPhase bool` Specify whether to enable anti-virus scanning on downloads. - `EnabledUploadPhase bool` Specify whether to enable anti-virus scanning on uploads. - `FailClosed bool` Specify whether to block requests for unscannable files. - `NotificationSettings NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `Enabled bool` Specify whether to enable notifications. - `IncludeContext bool` Specify whether to include context information as query parameters. - `Msg string` Specify the message to show in the notification. - `SupportURL string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `BlockPage BlockPageSettings` Specify block page layout settings. - `BackgroundColor string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `Enabled bool` Specify whether to enable the custom block page. - `FooterText string` Specify the block page footer text when the mode is customized_block_page. - `HeaderText string` Specify the block page header text when the mode is customized_block_page. - `IncludeContext bool` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `LogoPath string` Specify the full URL to the logo file when the mode is customized_block_page. - `MailtoAddress string` Specify the admin email for users to contact when the mode is customized_block_page. - `MailtoSubject string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `Mode BlockPageSettingsMode` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `const BlockPageSettingsModeEmpty BlockPageSettingsMode = ""` - `const BlockPageSettingsModeCustomizedBlockPage BlockPageSettingsMode = "customized_block_page"` - `const BlockPageSettingsModeRedirectURI BlockPageSettingsMode = "redirect_uri"` - `Name string` Specify the block page title when the mode is customized_block_page. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `SuppressFooter bool` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `TargetURI string` Specify the URI to redirect users to when the mode is redirect_uri. - `Version int64` Indicate the version number of the setting. - `BodyScanning BodyScanningSettings` Specify the DLP inspection mode. - `InspectionMode BodyScanningSettingsInspectionMode` Specify the inspection mode as either `deep` or `shallow`. - `const BodyScanningSettingsInspectionModeDeep BodyScanningSettingsInspectionMode = "deep"` - `const BodyScanningSettingsInspectionModeShallow BodyScanningSettingsInspectionMode = "shallow"` - `BrowserIsolation BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `NonIdentityEnabled bool` Specify whether to enable non-identity onramp support for Browser Isolation. - `URLBrowserIsolationEnabled bool` Specify whether to enable Clientless Browser Isolation. - `Certificate GatewayConfigurationSettingsCertificate` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `ID string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `CustomCertificate CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `Enabled bool` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `ID string` Specify the UUID of the certificate (ID from MTLS certificate store). - `BindingStatus string` Indicate the internal certificate status. - `UpdatedAt Time` - `ExtendedEmailMatching ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `Enabled bool` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `Version int64` Indicate the version number of the setting. - `Fips FipsSettings` Specify FIPS settings. - `TLS bool` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `HostSelector GatewayConfigurationSettingsHostSelector` Enable host selection in egress policies. - `Enabled bool` Specify whether to enable filtering via hosts for egress policies. - `Inspection GatewayConfigurationSettingsInspection` Define the proxy inspection mode. - `Mode GatewayConfigurationSettingsInspectionMode` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `const GatewayConfigurationSettingsInspectionModeStatic GatewayConfigurationSettingsInspectionMode = "static"` - `const GatewayConfigurationSettingsInspectionModeDynamic GatewayConfigurationSettingsInspectionMode = "dynamic"` - `ProtocolDetection ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `Enabled bool` Specify whether to detect protocols from the initial bytes of client traffic. - `Sandbox GatewayConfigurationSettingsSandbox` Specify whether to enable the sandbox. - `Enabled bool` Specify whether to enable the sandbox. - `FallbackAction GatewayConfigurationSettingsSandboxFallbackAction` Specify the action to take when the system cannot scan the file. - `const GatewayConfigurationSettingsSandboxFallbackActionAllow GatewayConfigurationSettingsSandboxFallbackAction = "allow"` - `const GatewayConfigurationSettingsSandboxFallbackActionBlock GatewayConfigurationSettingsSandboxFallbackAction = "block"` - `TLSDecrypt TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `Enabled bool` Specify whether to inspect encrypted HTTP traffic. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) configuration, err := client.ZeroTrust.Gateway.Configurations.Get(context.TODO(), zero_trust.GatewayConfigurationGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", configuration.CreatedAt) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust account configuration `client.ZeroTrust.Gateway.Configurations.Update(ctx, params) (*GatewayConfigurationUpdateResponse, error)` **put** `/accounts/{account_id}/gateway/configuration` Update the current Zero Trust account configuration. ### Parameters - `params GatewayConfigurationUpdateParams` - `AccountID param.Field[string]` Path param - `Settings param.Field[GatewayConfigurationSettings]` Body param: Specify account settings. ### Returns - `type GatewayConfigurationUpdateResponse struct{…}` Specify account settings. - `CreatedAt Time` - `Settings GatewayConfigurationSettings` Specify account settings. - `ActivityLog ActivityLogSettings` Specify activity log settings. - `Enabled bool` Specify whether to log activity. - `Antivirus AntiVirusSettings` Specify anti-virus settings. - `EnabledDownloadPhase bool` Specify whether to enable anti-virus scanning on downloads. - `EnabledUploadPhase bool` Specify whether to enable anti-virus scanning on uploads. - `FailClosed bool` Specify whether to block requests for unscannable files. - `NotificationSettings NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `Enabled bool` Specify whether to enable notifications. - `IncludeContext bool` Specify whether to include context information as query parameters. - `Msg string` Specify the message to show in the notification. - `SupportURL string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `BlockPage BlockPageSettings` Specify block page layout settings. - `BackgroundColor string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `Enabled bool` Specify whether to enable the custom block page. - `FooterText string` Specify the block page footer text when the mode is customized_block_page. - `HeaderText string` Specify the block page header text when the mode is customized_block_page. - `IncludeContext bool` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `LogoPath string` Specify the full URL to the logo file when the mode is customized_block_page. - `MailtoAddress string` Specify the admin email for users to contact when the mode is customized_block_page. - `MailtoSubject string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `Mode BlockPageSettingsMode` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `const BlockPageSettingsModeEmpty BlockPageSettingsMode = ""` - `const BlockPageSettingsModeCustomizedBlockPage BlockPageSettingsMode = "customized_block_page"` - `const BlockPageSettingsModeRedirectURI BlockPageSettingsMode = "redirect_uri"` - `Name string` Specify the block page title when the mode is customized_block_page. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `SuppressFooter bool` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `TargetURI string` Specify the URI to redirect users to when the mode is redirect_uri. - `Version int64` Indicate the version number of the setting. - `BodyScanning BodyScanningSettings` Specify the DLP inspection mode. - `InspectionMode BodyScanningSettingsInspectionMode` Specify the inspection mode as either `deep` or `shallow`. - `const BodyScanningSettingsInspectionModeDeep BodyScanningSettingsInspectionMode = "deep"` - `const BodyScanningSettingsInspectionModeShallow BodyScanningSettingsInspectionMode = "shallow"` - `BrowserIsolation BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `NonIdentityEnabled bool` Specify whether to enable non-identity onramp support for Browser Isolation. - `URLBrowserIsolationEnabled bool` Specify whether to enable Clientless Browser Isolation. - `Certificate GatewayConfigurationSettingsCertificate` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `ID string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `CustomCertificate CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `Enabled bool` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `ID string` Specify the UUID of the certificate (ID from MTLS certificate store). - `BindingStatus string` Indicate the internal certificate status. - `UpdatedAt Time` - `ExtendedEmailMatching ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `Enabled bool` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `Version int64` Indicate the version number of the setting. - `Fips FipsSettings` Specify FIPS settings. - `TLS bool` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `HostSelector GatewayConfigurationSettingsHostSelector` Enable host selection in egress policies. - `Enabled bool` Specify whether to enable filtering via hosts for egress policies. - `Inspection GatewayConfigurationSettingsInspection` Define the proxy inspection mode. - `Mode GatewayConfigurationSettingsInspectionMode` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `const GatewayConfigurationSettingsInspectionModeStatic GatewayConfigurationSettingsInspectionMode = "static"` - `const GatewayConfigurationSettingsInspectionModeDynamic GatewayConfigurationSettingsInspectionMode = "dynamic"` - `ProtocolDetection ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `Enabled bool` Specify whether to detect protocols from the initial bytes of client traffic. - `Sandbox GatewayConfigurationSettingsSandbox` Specify whether to enable the sandbox. - `Enabled bool` Specify whether to enable the sandbox. - `FallbackAction GatewayConfigurationSettingsSandboxFallbackAction` Specify the action to take when the system cannot scan the file. - `const GatewayConfigurationSettingsSandboxFallbackActionAllow GatewayConfigurationSettingsSandboxFallbackAction = "allow"` - `const GatewayConfigurationSettingsSandboxFallbackActionBlock GatewayConfigurationSettingsSandboxFallbackAction = "block"` - `TLSDecrypt TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `Enabled bool` Specify whether to inspect encrypted HTTP traffic. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) configuration, err := client.ZeroTrust.Gateway.Configurations.Update(context.TODO(), zero_trust.GatewayConfigurationUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", configuration.CreatedAt) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Patch Zero Trust account configuration `client.ZeroTrust.Gateway.Configurations.Edit(ctx, params) (*GatewayConfigurationEditResponse, error)` **patch** `/accounts/{account_id}/gateway/configuration` Update (PATCH) a single subcollection of settings such as `antivirus`, `tls_decrypt`, `activity_log`, `block_page`, `browser_isolation`, `fips`, `body_scanning`, or `certificate` without updating the entire configuration object. This endpoint returns an error if any settings collection lacks proper configuration. ### Parameters - `params GatewayConfigurationEditParams` - `AccountID param.Field[string]` Path param - `Settings param.Field[GatewayConfigurationSettings]` Body param: Specify account settings. ### Returns - `type GatewayConfigurationEditResponse struct{…}` Specify account settings. - `CreatedAt Time` - `Settings GatewayConfigurationSettings` Specify account settings. - `ActivityLog ActivityLogSettings` Specify activity log settings. - `Enabled bool` Specify whether to log activity. - `Antivirus AntiVirusSettings` Specify anti-virus settings. - `EnabledDownloadPhase bool` Specify whether to enable anti-virus scanning on downloads. - `EnabledUploadPhase bool` Specify whether to enable anti-virus scanning on uploads. - `FailClosed bool` Specify whether to block requests for unscannable files. - `NotificationSettings NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `Enabled bool` Specify whether to enable notifications. - `IncludeContext bool` Specify whether to include context information as query parameters. - `Msg string` Specify the message to show in the notification. - `SupportURL string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `BlockPage BlockPageSettings` Specify block page layout settings. - `BackgroundColor string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `Enabled bool` Specify whether to enable the custom block page. - `FooterText string` Specify the block page footer text when the mode is customized_block_page. - `HeaderText string` Specify the block page header text when the mode is customized_block_page. - `IncludeContext bool` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `LogoPath string` Specify the full URL to the logo file when the mode is customized_block_page. - `MailtoAddress string` Specify the admin email for users to contact when the mode is customized_block_page. - `MailtoSubject string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `Mode BlockPageSettingsMode` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `const BlockPageSettingsModeEmpty BlockPageSettingsMode = ""` - `const BlockPageSettingsModeCustomizedBlockPage BlockPageSettingsMode = "customized_block_page"` - `const BlockPageSettingsModeRedirectURI BlockPageSettingsMode = "redirect_uri"` - `Name string` Specify the block page title when the mode is customized_block_page. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `SuppressFooter bool` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `TargetURI string` Specify the URI to redirect users to when the mode is redirect_uri. - `Version int64` Indicate the version number of the setting. - `BodyScanning BodyScanningSettings` Specify the DLP inspection mode. - `InspectionMode BodyScanningSettingsInspectionMode` Specify the inspection mode as either `deep` or `shallow`. - `const BodyScanningSettingsInspectionModeDeep BodyScanningSettingsInspectionMode = "deep"` - `const BodyScanningSettingsInspectionModeShallow BodyScanningSettingsInspectionMode = "shallow"` - `BrowserIsolation BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `NonIdentityEnabled bool` Specify whether to enable non-identity onramp support for Browser Isolation. - `URLBrowserIsolationEnabled bool` Specify whether to enable Clientless Browser Isolation. - `Certificate GatewayConfigurationSettingsCertificate` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `ID string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `CustomCertificate CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `Enabled bool` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `ID string` Specify the UUID of the certificate (ID from MTLS certificate store). - `BindingStatus string` Indicate the internal certificate status. - `UpdatedAt Time` - `ExtendedEmailMatching ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `Enabled bool` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `Version int64` Indicate the version number of the setting. - `Fips FipsSettings` Specify FIPS settings. - `TLS bool` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `HostSelector GatewayConfigurationSettingsHostSelector` Enable host selection in egress policies. - `Enabled bool` Specify whether to enable filtering via hosts for egress policies. - `Inspection GatewayConfigurationSettingsInspection` Define the proxy inspection mode. - `Mode GatewayConfigurationSettingsInspectionMode` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `const GatewayConfigurationSettingsInspectionModeStatic GatewayConfigurationSettingsInspectionMode = "static"` - `const GatewayConfigurationSettingsInspectionModeDynamic GatewayConfigurationSettingsInspectionMode = "dynamic"` - `ProtocolDetection ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `Enabled bool` Specify whether to detect protocols from the initial bytes of client traffic. - `Sandbox GatewayConfigurationSettingsSandbox` Specify whether to enable the sandbox. - `Enabled bool` Specify whether to enable the sandbox. - `FallbackAction GatewayConfigurationSettingsSandboxFallbackAction` Specify the action to take when the system cannot scan the file. - `const GatewayConfigurationSettingsSandboxFallbackActionAllow GatewayConfigurationSettingsSandboxFallbackAction = "allow"` - `const GatewayConfigurationSettingsSandboxFallbackActionBlock GatewayConfigurationSettingsSandboxFallbackAction = "block"` - `TLSDecrypt TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `Enabled bool` Specify whether to inspect encrypted HTTP traffic. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Gateway.Configurations.Edit(context.TODO(), zero_trust.GatewayConfigurationEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.CreatedAt) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Activity Log Settings - `type ActivityLogSettings struct{…}` Specify activity log settings. - `Enabled bool` Specify whether to log activity. ### Anti Virus Settings - `type AntiVirusSettings struct{…}` Specify anti-virus settings. - `EnabledDownloadPhase bool` Specify whether to enable anti-virus scanning on downloads. - `EnabledUploadPhase bool` Specify whether to enable anti-virus scanning on uploads. - `FailClosed bool` Specify whether to block requests for unscannable files. - `NotificationSettings NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `Enabled bool` Specify whether to enable notifications. - `IncludeContext bool` Specify whether to include context information as query parameters. - `Msg string` Specify the message to show in the notification. - `SupportURL string` Specify a URL that directs users to more information. If unset, the notification opens a block page. ### Block Page Settings - `type BlockPageSettings struct{…}` Specify block page layout settings. - `BackgroundColor string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `Enabled bool` Specify whether to enable the custom block page. - `FooterText string` Specify the block page footer text when the mode is customized_block_page. - `HeaderText string` Specify the block page header text when the mode is customized_block_page. - `IncludeContext bool` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `LogoPath string` Specify the full URL to the logo file when the mode is customized_block_page. - `MailtoAddress string` Specify the admin email for users to contact when the mode is customized_block_page. - `MailtoSubject string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `Mode BlockPageSettingsMode` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `const BlockPageSettingsModeEmpty BlockPageSettingsMode = ""` - `const BlockPageSettingsModeCustomizedBlockPage BlockPageSettingsMode = "customized_block_page"` - `const BlockPageSettingsModeRedirectURI BlockPageSettingsMode = "redirect_uri"` - `Name string` Specify the block page title when the mode is customized_block_page. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `SuppressFooter bool` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `TargetURI string` Specify the URI to redirect users to when the mode is redirect_uri. - `Version int64` Indicate the version number of the setting. ### Body Scanning Settings - `type BodyScanningSettings struct{…}` Specify the DLP inspection mode. - `InspectionMode BodyScanningSettingsInspectionMode` Specify the inspection mode as either `deep` or `shallow`. - `const BodyScanningSettingsInspectionModeDeep BodyScanningSettingsInspectionMode = "deep"` - `const BodyScanningSettingsInspectionModeShallow BodyScanningSettingsInspectionMode = "shallow"` ### Browser Isolation Settings - `type BrowserIsolationSettings struct{…}` Specify Clientless Browser Isolation settings. - `NonIdentityEnabled bool` Specify whether to enable non-identity onramp support for Browser Isolation. - `URLBrowserIsolationEnabled bool` Specify whether to enable Clientless Browser Isolation. ### Custom Certificate Settings - `type CustomCertificateSettings struct{…}` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `Enabled bool` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `ID string` Specify the UUID of the certificate (ID from MTLS certificate store). - `BindingStatus string` Indicate the internal certificate status. - `UpdatedAt Time` ### Extended Email Matching - `type ExtendedEmailMatching struct{…}` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `Enabled bool` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `Version int64` Indicate the version number of the setting. ### Fips Settings - `type FipsSettings struct{…}` Specify FIPS settings. - `TLS bool` Enforce cipher suites and TLS versions compliant with FIPS 140-2. ### Gateway Configuration Settings - `type GatewayConfigurationSettings struct{…}` Specify account settings. - `ActivityLog ActivityLogSettings` Specify activity log settings. - `Enabled bool` Specify whether to log activity. - `Antivirus AntiVirusSettings` Specify anti-virus settings. - `EnabledDownloadPhase bool` Specify whether to enable anti-virus scanning on downloads. - `EnabledUploadPhase bool` Specify whether to enable anti-virus scanning on uploads. - `FailClosed bool` Specify whether to block requests for unscannable files. - `NotificationSettings NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `Enabled bool` Specify whether to enable notifications. - `IncludeContext bool` Specify whether to include context information as query parameters. - `Msg string` Specify the message to show in the notification. - `SupportURL string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `BlockPage BlockPageSettings` Specify block page layout settings. - `BackgroundColor string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `Enabled bool` Specify whether to enable the custom block page. - `FooterText string` Specify the block page footer text when the mode is customized_block_page. - `HeaderText string` Specify the block page header text when the mode is customized_block_page. - `IncludeContext bool` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `LogoPath string` Specify the full URL to the logo file when the mode is customized_block_page. - `MailtoAddress string` Specify the admin email for users to contact when the mode is customized_block_page. - `MailtoSubject string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `Mode BlockPageSettingsMode` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `const BlockPageSettingsModeEmpty BlockPageSettingsMode = ""` - `const BlockPageSettingsModeCustomizedBlockPage BlockPageSettingsMode = "customized_block_page"` - `const BlockPageSettingsModeRedirectURI BlockPageSettingsMode = "redirect_uri"` - `Name string` Specify the block page title when the mode is customized_block_page. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `SuppressFooter bool` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `TargetURI string` Specify the URI to redirect users to when the mode is redirect_uri. - `Version int64` Indicate the version number of the setting. - `BodyScanning BodyScanningSettings` Specify the DLP inspection mode. - `InspectionMode BodyScanningSettingsInspectionMode` Specify the inspection mode as either `deep` or `shallow`. - `const BodyScanningSettingsInspectionModeDeep BodyScanningSettingsInspectionMode = "deep"` - `const BodyScanningSettingsInspectionModeShallow BodyScanningSettingsInspectionMode = "shallow"` - `BrowserIsolation BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `NonIdentityEnabled bool` Specify whether to enable non-identity onramp support for Browser Isolation. - `URLBrowserIsolationEnabled bool` Specify whether to enable Clientless Browser Isolation. - `Certificate GatewayConfigurationSettingsCertificate` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `ID string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `CustomCertificate CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `Enabled bool` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `ID string` Specify the UUID of the certificate (ID from MTLS certificate store). - `BindingStatus string` Indicate the internal certificate status. - `UpdatedAt Time` - `ExtendedEmailMatching ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `Enabled bool` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `Version int64` Indicate the version number of the setting. - `Fips FipsSettings` Specify FIPS settings. - `TLS bool` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `HostSelector GatewayConfigurationSettingsHostSelector` Enable host selection in egress policies. - `Enabled bool` Specify whether to enable filtering via hosts for egress policies. - `Inspection GatewayConfigurationSettingsInspection` Define the proxy inspection mode. - `Mode GatewayConfigurationSettingsInspectionMode` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `const GatewayConfigurationSettingsInspectionModeStatic GatewayConfigurationSettingsInspectionMode = "static"` - `const GatewayConfigurationSettingsInspectionModeDynamic GatewayConfigurationSettingsInspectionMode = "dynamic"` - `ProtocolDetection ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `Enabled bool` Specify whether to detect protocols from the initial bytes of client traffic. - `Sandbox GatewayConfigurationSettingsSandbox` Specify whether to enable the sandbox. - `Enabled bool` Specify whether to enable the sandbox. - `FallbackAction GatewayConfigurationSettingsSandboxFallbackAction` Specify the action to take when the system cannot scan the file. - `const GatewayConfigurationSettingsSandboxFallbackActionAllow GatewayConfigurationSettingsSandboxFallbackAction = "allow"` - `const GatewayConfigurationSettingsSandboxFallbackActionBlock GatewayConfigurationSettingsSandboxFallbackAction = "block"` - `TLSDecrypt TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `Enabled bool` Specify whether to inspect encrypted HTTP traffic. ### Notification Settings - `type NotificationSettings struct{…}` Configure the message the user's device shows during an antivirus scan. - `Enabled bool` Specify whether to enable notifications. - `IncludeContext bool` Specify whether to include context information as query parameters. - `Msg string` Specify the message to show in the notification. - `SupportURL string` Specify a URL that directs users to more information. If unset, the notification opens a block page. ### Protocol Detection - `type ProtocolDetection struct{…}` Specify whether to detect protocols from the initial bytes of client traffic. - `Enabled bool` Specify whether to detect protocols from the initial bytes of client traffic. ### TLS Settings - `type TLSSettings struct{…}` Specify whether to inspect encrypted HTTP traffic. - `Enabled bool` Specify whether to inspect encrypted HTTP traffic. # Custom Certificate ## Get Zero Trust certificate configuration `client.ZeroTrust.Gateway.Configurations.CustomCertificate.Get(ctx, query) (*CustomCertificateSettings, error)` **get** `/accounts/{account_id}/gateway/configuration/custom_certificate` Retrieve the current Zero Trust certificate configuration. ### Parameters - `query GatewayConfigurationCustomCertificateGetParams` - `AccountID param.Field[string]` ### Returns - `type CustomCertificateSettings struct{…}` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `Enabled bool` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `ID string` Specify the UUID of the certificate (ID from MTLS certificate store). - `BindingStatus string` Indicate the internal certificate status. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) customCertificateSettings, err := client.ZeroTrust.Gateway.Configurations.CustomCertificate.Get(context.TODO(), zero_trust.GatewayConfigurationCustomCertificateGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", customCertificateSettings.ID) } ``` #### Response ```json { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" } ``` # Lists ## List Zero Trust lists `client.ZeroTrust.Gateway.Lists.List(ctx, params) (*SinglePage[GatewayList], error)` **get** `/accounts/{account_id}/gateway/lists` Fetch all Zero Trust lists for an account. ### Parameters - `params GatewayListListParams` - `AccountID param.Field[string]` Path param - `Type param.Field[GatewayListListParamsType]` Query param: Specify the list type. - `const GatewayListListParamsTypeSerial GatewayListListParamsType = "SERIAL"` - `const GatewayListListParamsTypeURL GatewayListListParamsType = "URL"` - `const GatewayListListParamsTypeDomain GatewayListListParamsType = "DOMAIN"` - `const GatewayListListParamsTypeEmail GatewayListListParamsType = "EMAIL"` - `const GatewayListListParamsTypeIP GatewayListListParamsType = "IP"` - `const GatewayListListParamsTypeCategory GatewayListListParamsType = "CATEGORY"` - `const GatewayListListParamsTypeLocation GatewayListListParamsType = "LOCATION"` - `const GatewayListListParamsTypeDevice GatewayListListParamsType = "DEVICE"` ### Returns - `type GatewayList struct{…}` - `ID string` Identify the API resource with a UUID. - `Count float64` Indicate the number of items in the list. - `CreatedAt Time` - `Description string` Provide the list description. - `Items []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Name string` Specify the list name. - `Type GatewayListType` Specify the list type. - `const GatewayListTypeSerial GatewayListType = "SERIAL"` - `const GatewayListTypeURL GatewayListType = "URL"` - `const GatewayListTypeDomain GatewayListType = "DOMAIN"` - `const GatewayListTypeEmail GatewayListType = "EMAIL"` - `const GatewayListTypeIP GatewayListType = "IP"` - `const GatewayListTypeCategory GatewayListType = "CATEGORY"` - `const GatewayListTypeLocation GatewayListType = "LOCATION"` - `const GatewayListTypeDevice GatewayListType = "DEVICE"` - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Lists.List(context.TODO(), zero_trust.GatewayListListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust list details `client.ZeroTrust.Gateway.Lists.Get(ctx, listID, query) (*GatewayList, error)` **get** `/accounts/{account_id}/gateway/lists/{list_id}` Fetch a single Zero Trust list. ### Parameters - `listID string` Identify the API resource with a UUID. - `query GatewayListGetParams` - `AccountID param.Field[string]` ### Returns - `type GatewayList struct{…}` - `ID string` Identify the API resource with a UUID. - `Count float64` Indicate the number of items in the list. - `CreatedAt Time` - `Description string` Provide the list description. - `Items []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Name string` Specify the list name. - `Type GatewayListType` Specify the list type. - `const GatewayListTypeSerial GatewayListType = "SERIAL"` - `const GatewayListTypeURL GatewayListType = "URL"` - `const GatewayListTypeDomain GatewayListType = "DOMAIN"` - `const GatewayListTypeEmail GatewayListType = "EMAIL"` - `const GatewayListTypeIP GatewayListType = "IP"` - `const GatewayListTypeCategory GatewayListType = "CATEGORY"` - `const GatewayListTypeLocation GatewayListType = "LOCATION"` - `const GatewayListTypeDevice GatewayListType = "DEVICE"` - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayList, err := client.ZeroTrust.Gateway.Lists.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayListGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayList.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create Zero Trust list `client.ZeroTrust.Gateway.Lists.New(ctx, params) (*GatewayListNewResponse, error)` **post** `/accounts/{account_id}/gateway/lists` Creates a new Zero Trust list. ### Parameters - `params GatewayListNewParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param: Specify the list name. - `Type param.Field[GatewayListNewParamsType]` Body param: Specify the list type. - `const GatewayListNewParamsTypeSerial GatewayListNewParamsType = "SERIAL"` - `const GatewayListNewParamsTypeURL GatewayListNewParamsType = "URL"` - `const GatewayListNewParamsTypeDomain GatewayListNewParamsType = "DOMAIN"` - `const GatewayListNewParamsTypeEmail GatewayListNewParamsType = "EMAIL"` - `const GatewayListNewParamsTypeIP GatewayListNewParamsType = "IP"` - `const GatewayListNewParamsTypeCategory GatewayListNewParamsType = "CATEGORY"` - `const GatewayListNewParamsTypeLocation GatewayListNewParamsType = "LOCATION"` - `const GatewayListNewParamsTypeDevice GatewayListNewParamsType = "DEVICE"` - `Description param.Field[string]` Body param: Provide the list description. - `Items param.Field[[]GatewayListNewParamsItem]` Body param: Add items to the list. - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. ### Returns - `type GatewayListNewResponse struct{…}` - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `Description string` Provide the list description. - `Items []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Name string` Specify the list name. - `Type GatewayListNewResponseType` Specify the list type. - `const GatewayListNewResponseTypeSerial GatewayListNewResponseType = "SERIAL"` - `const GatewayListNewResponseTypeURL GatewayListNewResponseType = "URL"` - `const GatewayListNewResponseTypeDomain GatewayListNewResponseType = "DOMAIN"` - `const GatewayListNewResponseTypeEmail GatewayListNewResponseType = "EMAIL"` - `const GatewayListNewResponseTypeIP GatewayListNewResponseType = "IP"` - `const GatewayListNewResponseTypeCategory GatewayListNewResponseType = "CATEGORY"` - `const GatewayListNewResponseTypeLocation GatewayListNewResponseType = "LOCATION"` - `const GatewayListNewResponseTypeDevice GatewayListNewResponseType = "DEVICE"` - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) list, err := client.ZeroTrust.Gateway.Lists.New(context.TODO(), zero_trust.GatewayListNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("Admin Serial Numbers"), Type: cloudflare.F(zero_trust.GatewayListNewParamsTypeSerial), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", list.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust list `client.ZeroTrust.Gateway.Lists.Update(ctx, listID, params) (*GatewayList, error)` **put** `/accounts/{account_id}/gateway/lists/{list_id}` Updates a configured Zero Trust list. Skips updating list items if not included in the payload. A non empty list items will overwrite the existing list. ### Parameters - `listID string` Identify the API resource with a UUID. - `params GatewayListUpdateParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param: Specify the list name. - `Description param.Field[string]` Body param: Provide the list description. - `Items param.Field[[]GatewayListUpdateParamsItem]` Body param: Add items to the list. - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. ### Returns - `type GatewayList struct{…}` - `ID string` Identify the API resource with a UUID. - `Count float64` Indicate the number of items in the list. - `CreatedAt Time` - `Description string` Provide the list description. - `Items []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Name string` Specify the list name. - `Type GatewayListType` Specify the list type. - `const GatewayListTypeSerial GatewayListType = "SERIAL"` - `const GatewayListTypeURL GatewayListType = "URL"` - `const GatewayListTypeDomain GatewayListType = "DOMAIN"` - `const GatewayListTypeEmail GatewayListType = "EMAIL"` - `const GatewayListTypeIP GatewayListType = "IP"` - `const GatewayListTypeCategory GatewayListType = "CATEGORY"` - `const GatewayListTypeLocation GatewayListType = "LOCATION"` - `const GatewayListTypeDevice GatewayListType = "DEVICE"` - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayList, err := client.ZeroTrust.Gateway.Lists.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayListUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("Admin Serial Numbers"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayList.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Patch Zero Trust list. `client.ZeroTrust.Gateway.Lists.Edit(ctx, listID, params) (*GatewayList, error)` **patch** `/accounts/{account_id}/gateway/lists/{list_id}` Appends or removes an item from a configured Zero Trust list. ### Parameters - `listID string` Identify the API resource with a UUID. - `params GatewayListEditParams` - `AccountID param.Field[string]` Path param - `Append param.Field[[]GatewayListEditParamsAppend]` Body param: Add items to the list. - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Remove param.Field[[]string]` Body param: Lists of item values you want to remove. ### Returns - `type GatewayList struct{…}` - `ID string` Identify the API resource with a UUID. - `Count float64` Indicate the number of items in the list. - `CreatedAt Time` - `Description string` Provide the list description. - `Items []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Name string` Specify the list name. - `Type GatewayListType` Specify the list type. - `const GatewayListTypeSerial GatewayListType = "SERIAL"` - `const GatewayListTypeURL GatewayListType = "URL"` - `const GatewayListTypeDomain GatewayListType = "DOMAIN"` - `const GatewayListTypeEmail GatewayListType = "EMAIL"` - `const GatewayListTypeIP GatewayListType = "IP"` - `const GatewayListTypeCategory GatewayListType = "CATEGORY"` - `const GatewayListTypeLocation GatewayListType = "LOCATION"` - `const GatewayListTypeDevice GatewayListType = "DEVICE"` - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayList, err := client.ZeroTrust.Gateway.Lists.Edit( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayListEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayList.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete Zero Trust list `client.ZeroTrust.Gateway.Lists.Delete(ctx, listID, body) (*GatewayListDeleteResponse, error)` **delete** `/accounts/{account_id}/gateway/lists/{list_id}` Deletes a Zero Trust list. ### Parameters - `listID string` Identify the API resource with a UUID. - `body GatewayListDeleteParams` - `AccountID param.Field[string]` ### Returns - `type GatewayListDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) list, err := client.ZeroTrust.Gateway.Lists.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayListDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", list) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Gateway Item - `type GatewayItem struct{…}` - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. ### Gateway List - `type GatewayList struct{…}` - `ID string` Identify the API resource with a UUID. - `Count float64` Indicate the number of items in the list. - `CreatedAt Time` - `Description string` Provide the list description. - `Items []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Name string` Specify the list name. - `Type GatewayListType` Specify the list type. - `const GatewayListTypeSerial GatewayListType = "SERIAL"` - `const GatewayListTypeURL GatewayListType = "URL"` - `const GatewayListTypeDomain GatewayListType = "DOMAIN"` - `const GatewayListTypeEmail GatewayListType = "EMAIL"` - `const GatewayListTypeIP GatewayListType = "IP"` - `const GatewayListTypeCategory GatewayListType = "CATEGORY"` - `const GatewayListTypeLocation GatewayListType = "LOCATION"` - `const GatewayListTypeDevice GatewayListType = "DEVICE"` - `UpdatedAt Time` # Items ## Get Zero Trust list items `client.ZeroTrust.Gateway.Lists.Items.List(ctx, listID, query) (*SinglePage[[]GatewayItem], error)` **get** `/accounts/{account_id}/gateway/lists/{list_id}/items` Fetch all items in a single Zero Trust list. ### Parameters - `listID string` Identify the API resource with a UUID. - `query GatewayListItemListParams` - `AccountID param.Field[string]` ### Returns - `type GatewayListItemListResponseEnvelopeResult []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Lists.Items.List( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayListItemListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ] ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Locations ## List Zero Trust Gateway locations `client.ZeroTrust.Gateway.Locations.List(ctx, query) (*SinglePage[Location], error)` **get** `/accounts/{account_id}/gateway/locations` List Zero Trust Gateway locations for an account. ### Parameters - `query GatewayLocationListParams` - `AccountID param.Field[string]` ### Returns - `type Location struct{…}` - `ID string` - `ClientDefault bool` Indicate whether this location is the default location. - `CreatedAt Time` - `DNSDestinationIPsID string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `DNSDestinationIPV6BlockID string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `DOHSubdomain string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ECSSupport bool` Indicate whether the location must resolve EDNS queries. - `Endpoints Endpoint` Configure the destination endpoints for this location. - `DOH DOHEndpoint` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. - `DOT DOTEndpoint` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `IPV4 IPV4Endpoint` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. - `IPV6 IPV6Endpoint` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. - `IP string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `IPV4Destination string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `IPV4DestinationBackup string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `Name string` Specify the location name. - `Networks []LocationNetwork` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Locations.List(context.TODO(), zero_trust.GatewayLocationListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust Gateway location details `client.ZeroTrust.Gateway.Locations.Get(ctx, locationID, query) (*Location, error)` **get** `/accounts/{account_id}/gateway/locations/{location_id}` Get a single Zero Trust Gateway location. ### Parameters - `locationID string` - `query GatewayLocationGetParams` - `AccountID param.Field[string]` ### Returns - `type Location struct{…}` - `ID string` - `ClientDefault bool` Indicate whether this location is the default location. - `CreatedAt Time` - `DNSDestinationIPsID string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `DNSDestinationIPV6BlockID string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `DOHSubdomain string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ECSSupport bool` Indicate whether the location must resolve EDNS queries. - `Endpoints Endpoint` Configure the destination endpoints for this location. - `DOH DOHEndpoint` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. - `DOT DOTEndpoint` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `IPV4 IPV4Endpoint` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. - `IPV6 IPV6Endpoint` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. - `IP string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `IPV4Destination string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `IPV4DestinationBackup string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `Name string` Specify the location name. - `Networks []LocationNetwork` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) location, err := client.ZeroTrust.Gateway.Locations.Get( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayLocationGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", location.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a Zero Trust Gateway location `client.ZeroTrust.Gateway.Locations.New(ctx, params) (*Location, error)` **post** `/accounts/{account_id}/gateway/locations` Create a new Zero Trust Gateway location. ### Parameters - `params GatewayLocationNewParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param: Specify the location name. - `ClientDefault param.Field[bool]` Body param: Indicate whether this location is the default location. - `DNSDestinationIPsID param.Field[string]` Body param: Specify the identifier of the pair of IPv4 addresses assigned to this location. When creating a location, if this field is absent or set to null, the pair of shared IPv4 addresses (0e4a32c6-6fb8-4858-9296-98f51631e8e6) is auto-assigned. When updating a location, if this field is absent or set to null, the pre-assigned pair remains unchanged. - `ECSSupport param.Field[bool]` Body param: Indicate whether the location must resolve EDNS queries. - `Endpoints param.Field[Endpoint]` Body param: Configure the destination endpoints for this location. - `Networks param.Field[[]GatewayLocationNewParamsNetwork]` Body param: Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. ### Returns - `type Location struct{…}` - `ID string` - `ClientDefault bool` Indicate whether this location is the default location. - `CreatedAt Time` - `DNSDestinationIPsID string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `DNSDestinationIPV6BlockID string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `DOHSubdomain string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ECSSupport bool` Indicate whether the location must resolve EDNS queries. - `Endpoints Endpoint` Configure the destination endpoints for this location. - `DOH DOHEndpoint` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. - `DOT DOTEndpoint` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `IPV4 IPV4Endpoint` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. - `IPV6 IPV6Endpoint` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. - `IP string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `IPV4Destination string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `IPV4DestinationBackup string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `Name string` Specify the location name. - `Networks []LocationNetwork` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) location, err := client.ZeroTrust.Gateway.Locations.New(context.TODO(), zero_trust.GatewayLocationNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("Austin Office Location"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", location.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a Zero Trust Gateway location `client.ZeroTrust.Gateway.Locations.Update(ctx, locationID, params) (*Location, error)` **put** `/accounts/{account_id}/gateway/locations/{location_id}` Update a configured Zero Trust Gateway location. ### Parameters - `locationID string` - `params GatewayLocationUpdateParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param: Specify the location name. - `ClientDefault param.Field[bool]` Body param: Indicate whether this location is the default location. - `DNSDestinationIPsID param.Field[string]` Body param: Specify the identifier of the pair of IPv4 addresses assigned to this location. When creating a location, if this field is absent or set to null, the pair of shared IPv4 addresses (0e4a32c6-6fb8-4858-9296-98f51631e8e6) is auto-assigned. When updating a location, if this field is absent or set to null, the pre-assigned pair remains unchanged. - `ECSSupport param.Field[bool]` Body param: Indicate whether the location must resolve EDNS queries. - `Endpoints param.Field[Endpoint]` Body param: Configure the destination endpoints for this location. - `Networks param.Field[[]GatewayLocationUpdateParamsNetwork]` Body param: Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. ### Returns - `type Location struct{…}` - `ID string` - `ClientDefault bool` Indicate whether this location is the default location. - `CreatedAt Time` - `DNSDestinationIPsID string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `DNSDestinationIPV6BlockID string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `DOHSubdomain string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ECSSupport bool` Indicate whether the location must resolve EDNS queries. - `Endpoints Endpoint` Configure the destination endpoints for this location. - `DOH DOHEndpoint` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. - `DOT DOTEndpoint` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `IPV4 IPV4Endpoint` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. - `IPV6 IPV6Endpoint` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. - `IP string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `IPV4Destination string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `IPV4DestinationBackup string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `Name string` Specify the location name. - `Networks []LocationNetwork` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) location, err := client.ZeroTrust.Gateway.Locations.Update( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayLocationUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("Austin Office Location"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", location.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a Zero Trust Gateway location `client.ZeroTrust.Gateway.Locations.Delete(ctx, locationID, body) (*GatewayLocationDeleteResponse, error)` **delete** `/accounts/{account_id}/gateway/locations/{location_id}` Delete a configured Zero Trust Gateway location. ### Parameters - `locationID string` - `body GatewayLocationDeleteParams` - `AccountID param.Field[string]` ### Returns - `type GatewayLocationDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) location, err := client.ZeroTrust.Gateway.Locations.Delete( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayLocationDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", location) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### DOH Endpoint - `type DOHEndpoint struct{…}` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. ### DOT Endpoint - `type DOTEndpoint struct{…}` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. ### Endpoint - `type Endpoint struct{…}` Configure the destination endpoints for this location. - `DOH DOHEndpoint` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. - `DOT DOTEndpoint` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `IPV4 IPV4Endpoint` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. - `IPV6 IPV6Endpoint` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. ### IP Network - `type IPNetwork struct{…}` - `Network string` Specify the IP address or IP CIDR. ### IPV4 Endpoint - `type IPV4Endpoint struct{…}` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. ### IPV6 Endpoint - `type IPV6Endpoint struct{…}` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. ### IPV6 Network - `type IPV6Network struct{…}` - `Network string` Specify the IPv6 address or IPv6 CIDR. ### Location - `type Location struct{…}` - `ID string` - `ClientDefault bool` Indicate whether this location is the default location. - `CreatedAt Time` - `DNSDestinationIPsID string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `DNSDestinationIPV6BlockID string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `DOHSubdomain string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ECSSupport bool` Indicate whether the location must resolve EDNS queries. - `Endpoints Endpoint` Configure the destination endpoints for this location. - `DOH DOHEndpoint` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. - `DOT DOTEndpoint` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `IPV4 IPV4Endpoint` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. - `IPV6 IPV6Endpoint` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. - `IP string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `IPV4Destination string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `IPV4DestinationBackup string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `Name string` Specify the location name. - `Networks []LocationNetwork` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `UpdatedAt Time` # Logging ## Get logging settings for the Zero Trust account `client.ZeroTrust.Gateway.Logging.Get(ctx, query) (*LoggingSetting, error)` **get** `/accounts/{account_id}/gateway/logging` Retrieve the current logging settings for the Zero Trust account. ### Parameters - `query GatewayLoggingGetParams` - `AccountID param.Field[string]` ### Returns - `type LoggingSetting struct{…}` - `RedactPii bool` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `SettingsByRuleType LoggingSettingSettingsByRuleType` Configure logging settings for each rule type. - `DNS LoggingSettingSettingsByRuleTypeDNS` Configure logging settings for DNS firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. - `HTTP LoggingSettingSettingsByRuleTypeHTTP` Configure logging settings for HTTP/HTTPS firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. - `L4 LoggingSettingSettingsByRuleTypeL4` Configure logging settings for Network firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) loggingSetting, err := client.ZeroTrust.Gateway.Logging.Get(context.TODO(), zero_trust.GatewayLoggingGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", loggingSetting.RedactPii) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "redact_pii": true, "settings_by_rule_type": { "dns": { "log_all": false, "log_blocks": true }, "http": { "log_all": false, "log_blocks": true }, "l4": { "log_all": false, "log_blocks": true } } } } ``` ## Update Zero Trust account logging settings `client.ZeroTrust.Gateway.Logging.Update(ctx, params) (*LoggingSetting, error)` **put** `/accounts/{account_id}/gateway/logging` Update logging settings for the current Zero Trust account. ### Parameters - `params GatewayLoggingUpdateParams` - `AccountID param.Field[string]` Path param - `LoggingSetting param.Field[LoggingSetting]` Body param ### Returns - `type LoggingSetting struct{…}` - `RedactPii bool` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `SettingsByRuleType LoggingSettingSettingsByRuleType` Configure logging settings for each rule type. - `DNS LoggingSettingSettingsByRuleTypeDNS` Configure logging settings for DNS firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. - `HTTP LoggingSettingSettingsByRuleTypeHTTP` Configure logging settings for HTTP/HTTPS firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. - `L4 LoggingSettingSettingsByRuleTypeL4` Configure logging settings for Network firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) loggingSetting, err := client.ZeroTrust.Gateway.Logging.Update(context.TODO(), zero_trust.GatewayLoggingUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), LoggingSetting: zero_trust.LoggingSettingParam{ }, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", loggingSetting.RedactPii) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "redact_pii": true, "settings_by_rule_type": { "dns": { "log_all": false, "log_blocks": true }, "http": { "log_all": false, "log_blocks": true }, "l4": { "log_all": false, "log_blocks": true } } } } ``` ## Domain Types ### Logging Setting - `type LoggingSetting struct{…}` - `RedactPii bool` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `SettingsByRuleType LoggingSettingSettingsByRuleType` Configure logging settings for each rule type. - `DNS LoggingSettingSettingsByRuleTypeDNS` Configure logging settings for DNS firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. - `HTTP LoggingSettingSettingsByRuleTypeHTTP` Configure logging settings for HTTP/HTTPS firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. - `L4 LoggingSettingSettingsByRuleTypeL4` Configure logging settings for Network firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. # Proxy Endpoints ## List proxy endpoints `client.ZeroTrust.Gateway.ProxyEndpoints.List(ctx, query) (*SinglePage[ProxyEndpoint], error)` **get** `/accounts/{account_id}/gateway/proxy_endpoints` List all Zero Trust Gateway proxy endpoints for an account. ### Parameters - `query GatewayProxyEndpointListParams` - `AccountID param.Field[string]` ### Returns - `type ProxyEndpoint interface{…}` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIP struct{…}` - `IPs []GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIPKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIPKindIP ProxyEndpointZeroTrustGatewayProxyEndpointIPKind = "ip"` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIdentity struct{…}` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKindIdentity ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind = "identity"` - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.ProxyEndpoints.List(context.TODO(), zero_trust.GatewayProxyEndpointListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a proxy endpoint `client.ZeroTrust.Gateway.ProxyEndpoints.Get(ctx, proxyEndpointID, query) (*ProxyEndpoint, error)` **get** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Get a single Zero Trust Gateway proxy endpoint. ### Parameters - `proxyEndpointID string` - `query GatewayProxyEndpointGetParams` - `AccountID param.Field[string]` ### Returns - `type ProxyEndpoint interface{…}` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIP struct{…}` - `IPs []GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIPKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIPKindIP ProxyEndpointZeroTrustGatewayProxyEndpointIPKind = "ip"` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIdentity struct{…}` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKindIdentity ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind = "identity"` - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) proxyEndpoint, err := client.ZeroTrust.Gateway.ProxyEndpoints.Get( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayProxyEndpointGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", proxyEndpoint) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a proxy endpoint `client.ZeroTrust.Gateway.ProxyEndpoints.New(ctx, params) (*ProxyEndpoint, error)` **post** `/accounts/{account_id}/gateway/proxy_endpoints` Create a new Zero Trust Gateway proxy endpoint. ### Parameters - `params GatewayProxyEndpointNewParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param: Specify the name of the proxy endpoint. - `Kind param.Field[GatewayProxyEndpointNewParamsZeroTrustGatewayProxyEndpointIPCreateKind]` Body param: The proxy endpoint kind - `const GatewayProxyEndpointNewParamsZeroTrustGatewayProxyEndpointIPCreateKindIP GatewayProxyEndpointNewParamsZeroTrustGatewayProxyEndpointIPCreateKind = "ip"` ### Returns - `type ProxyEndpoint interface{…}` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIP struct{…}` - `IPs []GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIPKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIPKindIP ProxyEndpointZeroTrustGatewayProxyEndpointIPKind = "ip"` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIdentity struct{…}` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKindIdentity ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind = "identity"` - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) proxyEndpoint, err := client.ZeroTrust.Gateway.ProxyEndpoints.New(context.TODO(), zero_trust.GatewayProxyEndpointNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: zero_trust.GatewayProxyEndpointNewParamsBodyZeroTrustGatewayProxyEndpointIPCreate{ Name: cloudflare.F("Devops team"), Kind: cloudflare.F(zero_trust.GatewayProxyEndpointNewParamsBodyZeroTrustGatewayProxyEndpointIPCreateKindIP), }, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", proxyEndpoint) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a proxy endpoint `client.ZeroTrust.Gateway.ProxyEndpoints.Edit(ctx, proxyEndpointID, params) (*ProxyEndpoint, error)` **patch** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Update a configured Zero Trust Gateway proxy endpoint. ### Parameters - `proxyEndpointID string` - `params GatewayProxyEndpointEditParams` - `AccountID param.Field[string]` Path param - `IPs param.Field[[]GatewayIPs]` Body param: Specify the list of CIDRs to restrict ingress connections. - `Name param.Field[string]` Body param: Specify the name of the proxy endpoint. ### Returns - `type ProxyEndpoint interface{…}` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIP struct{…}` - `IPs []GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIPKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIPKindIP ProxyEndpointZeroTrustGatewayProxyEndpointIPKind = "ip"` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIdentity struct{…}` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKindIdentity ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind = "identity"` - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) proxyEndpoint, err := client.ZeroTrust.Gateway.ProxyEndpoints.Edit( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayProxyEndpointEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", proxyEndpoint) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a proxy endpoint `client.ZeroTrust.Gateway.ProxyEndpoints.Delete(ctx, proxyEndpointID, body) (*GatewayProxyEndpointDeleteResponse, error)` **delete** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Delete a configured Zero Trust Gateway proxy endpoint. ### Parameters - `proxyEndpointID string` - `body GatewayProxyEndpointDeleteParams` - `AccountID param.Field[string]` ### Returns - `type GatewayProxyEndpointDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) proxyEndpoint, err := client.ZeroTrust.Gateway.ProxyEndpoints.Delete( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayProxyEndpointDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", proxyEndpoint) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Gateway IPs - `type GatewayIPs string` Specify an IPv4 or IPv6 CIDR. Limit IPv6 to a maximum of /109 and IPv4 to a maximum of /25. ### Proxy Endpoint - `type ProxyEndpoint interface{…}` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIP struct{…}` - `IPs []GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIPKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIPKindIP ProxyEndpointZeroTrustGatewayProxyEndpointIPKind = "ip"` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIdentity struct{…}` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKindIdentity ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind = "identity"` - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` # Rules ## List Zero Trust Gateway rules `client.ZeroTrust.Gateway.Rules.List(ctx, query) (*SinglePage[GatewayRule], error)` **get** `/accounts/{account_id}/gateway/rules` List Zero Trust Gateway rules for an account. ### Parameters - `query GatewayRuleListParams` - `AccountID param.Field[string]` ### Returns - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Rules.List(context.TODO(), zero_trust.GatewayRuleListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust Gateway rule details. `client.ZeroTrust.Gateway.Rules.Get(ctx, ruleID, query) (*GatewayRule, error)` **get** `/accounts/{account_id}/gateway/rules/{rule_id}` Get a single Zero Trust Gateway rule. ### Parameters - `ruleID string` Identify the API resource with a UUID. - `query GatewayRuleGetParams` - `AccountID param.Field[string]` ### Returns - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayRule, err := client.ZeroTrust.Gateway.Rules.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayRuleGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayRule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Create a Zero Trust Gateway rule `client.ZeroTrust.Gateway.Rules.New(ctx, params) (*GatewayRule, error)` **post** `/accounts/{account_id}/gateway/rules` Create a new Zero Trust Gateway rule. ### Parameters - `params GatewayRuleNewParams` - `AccountID param.Field[string]` Path param - `Action param.Field[GatewayRuleNewParamsAction]` Body param: Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleNewParamsActionOn GatewayRuleNewParamsAction = "on"` - `const GatewayRuleNewParamsActionOff GatewayRuleNewParamsAction = "off"` - `const GatewayRuleNewParamsActionAllow GatewayRuleNewParamsAction = "allow"` - `const GatewayRuleNewParamsActionBlock GatewayRuleNewParamsAction = "block"` - `const GatewayRuleNewParamsActionScan GatewayRuleNewParamsAction = "scan"` - `const GatewayRuleNewParamsActionNoscan GatewayRuleNewParamsAction = "noscan"` - `const GatewayRuleNewParamsActionSafesearch GatewayRuleNewParamsAction = "safesearch"` - `const GatewayRuleNewParamsActionYtrestricted GatewayRuleNewParamsAction = "ytrestricted"` - `const GatewayRuleNewParamsActionIsolate GatewayRuleNewParamsAction = "isolate"` - `const GatewayRuleNewParamsActionNoisolate GatewayRuleNewParamsAction = "noisolate"` - `const GatewayRuleNewParamsActionOverride GatewayRuleNewParamsAction = "override"` - `const GatewayRuleNewParamsActionL4Override GatewayRuleNewParamsAction = "l4_override"` - `const GatewayRuleNewParamsActionEgress GatewayRuleNewParamsAction = "egress"` - `const GatewayRuleNewParamsActionResolve GatewayRuleNewParamsAction = "resolve"` - `const GatewayRuleNewParamsActionQuarantine GatewayRuleNewParamsAction = "quarantine"` - `const GatewayRuleNewParamsActionRedirect GatewayRuleNewParamsAction = "redirect"` - `Name param.Field[string]` Body param: Specify the rule name. - `Description param.Field[string]` Body param: Specify the rule description. - `DevicePosture param.Field[string]` Body param: Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Enabled param.Field[bool]` Body param: Specify whether the rule is enabled. - `Expiration param.Field[GatewayRuleNewParamsExpiration]` Body param: Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Filters param.Field[[]GatewayFilter]` Body param: Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Identity param.Field[string]` Body param: Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Precedence param.Field[int64]` Body param: Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `RuleSettings param.Field[RuleSetting]` Body param: Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `Schedule param.Field[Schedule]` Body param: Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Traffic param.Field[string]` Body param: Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. ### Returns - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayRule, err := client.ZeroTrust.Gateway.Rules.New(context.TODO(), zero_trust.GatewayRuleNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Action: cloudflare.F(zero_trust.GatewayRuleNewParamsActionAllow), Name: cloudflare.F("block bad websites"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayRule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Update a Zero Trust Gateway rule `client.ZeroTrust.Gateway.Rules.Update(ctx, ruleID, params) (*GatewayRule, error)` **put** `/accounts/{account_id}/gateway/rules/{rule_id}` Update a configured Zero Trust Gateway rule. ### Parameters - `ruleID string` Identify the API resource with a UUID. - `params GatewayRuleUpdateParams` - `AccountID param.Field[string]` Path param - `Action param.Field[GatewayRuleUpdateParamsAction]` Body param: Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleUpdateParamsActionOn GatewayRuleUpdateParamsAction = "on"` - `const GatewayRuleUpdateParamsActionOff GatewayRuleUpdateParamsAction = "off"` - `const GatewayRuleUpdateParamsActionAllow GatewayRuleUpdateParamsAction = "allow"` - `const GatewayRuleUpdateParamsActionBlock GatewayRuleUpdateParamsAction = "block"` - `const GatewayRuleUpdateParamsActionScan GatewayRuleUpdateParamsAction = "scan"` - `const GatewayRuleUpdateParamsActionNoscan GatewayRuleUpdateParamsAction = "noscan"` - `const GatewayRuleUpdateParamsActionSafesearch GatewayRuleUpdateParamsAction = "safesearch"` - `const GatewayRuleUpdateParamsActionYtrestricted GatewayRuleUpdateParamsAction = "ytrestricted"` - `const GatewayRuleUpdateParamsActionIsolate GatewayRuleUpdateParamsAction = "isolate"` - `const GatewayRuleUpdateParamsActionNoisolate GatewayRuleUpdateParamsAction = "noisolate"` - `const GatewayRuleUpdateParamsActionOverride GatewayRuleUpdateParamsAction = "override"` - `const GatewayRuleUpdateParamsActionL4Override GatewayRuleUpdateParamsAction = "l4_override"` - `const GatewayRuleUpdateParamsActionEgress GatewayRuleUpdateParamsAction = "egress"` - `const GatewayRuleUpdateParamsActionResolve GatewayRuleUpdateParamsAction = "resolve"` - `const GatewayRuleUpdateParamsActionQuarantine GatewayRuleUpdateParamsAction = "quarantine"` - `const GatewayRuleUpdateParamsActionRedirect GatewayRuleUpdateParamsAction = "redirect"` - `Name param.Field[string]` Body param: Specify the rule name. - `Description param.Field[string]` Body param: Specify the rule description. - `DevicePosture param.Field[string]` Body param: Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Enabled param.Field[bool]` Body param: Specify whether the rule is enabled. - `Expiration param.Field[GatewayRuleUpdateParamsExpiration]` Body param: Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Filters param.Field[[]GatewayFilter]` Body param: Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Identity param.Field[string]` Body param: Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Precedence param.Field[int64]` Body param: Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `RuleSettings param.Field[RuleSetting]` Body param: Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `Schedule param.Field[Schedule]` Body param: Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Traffic param.Field[string]` Body param: Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. ### Returns - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayRule, err := client.ZeroTrust.Gateway.Rules.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayRuleUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Action: cloudflare.F(zero_trust.GatewayRuleUpdateParamsActionAllow), Name: cloudflare.F("block bad websites"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayRule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Delete a Zero Trust Gateway rule `client.ZeroTrust.Gateway.Rules.Delete(ctx, ruleID, body) (*GatewayRuleDeleteResponse, error)` **delete** `/accounts/{account_id}/gateway/rules/{rule_id}` Delete a Zero Trust Gateway rule. ### Parameters - `ruleID string` Identify the API resource with a UUID. - `body GatewayRuleDeleteParams` - `AccountID param.Field[string]` ### Returns - `type GatewayRuleDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) rule, err := client.ZeroTrust.Gateway.Rules.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayRuleDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", rule) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## List Zero Trust Gateway rules inherited from the parent account `client.ZeroTrust.Gateway.Rules.ListTenant(ctx, query) (*SinglePage[GatewayRule], error)` **get** `/accounts/{account_id}/gateway/rules/tenant` List Zero Trust Gateway rules for the parent account of an account in the MSP configuration. ### Parameters - `query GatewayRuleListTenantParams` - `AccountID param.Field[string]` ### Returns - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Rules.ListTenant(context.TODO(), zero_trust.GatewayRuleListTenantParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Reset the expiration of a Zero Trust Gateway Rule `client.ZeroTrust.Gateway.Rules.ResetExpiration(ctx, ruleID, body) (*GatewayRule, error)` **post** `/accounts/{account_id}/gateway/rules/{rule_id}/reset_expiration` Resets the expiration of a Zero Trust Gateway Rule if its duration elapsed and it has a default duration. The Zero Trust Gateway Rule must have values for both `expiration.expires_at` and `expiration.duration`. ### Parameters - `ruleID string` Identify the API resource with a UUID. - `body GatewayRuleResetExpirationParams` - `AccountID param.Field[string]` ### Returns - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayRule, err := client.ZeroTrust.Gateway.Rules.ResetExpiration( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayRuleResetExpirationParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayRule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Domain Types ### DNS Resolver Settings V4 - `type DNSResolverSettingsV4 struct{…}` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. ### DNS Resolver Settings V6 - `type DNSResolverSettingsV6 struct{…}` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. ### Gateway Filter - `type GatewayFilter string` Specify the protocol or layer to use. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` ### Gateway Rule - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Rule Setting - `type RuleSetting struct{…}` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` ### Schedule - `type Schedule struct{…}` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. # Certificates ## List Zero Trust certificates `client.ZeroTrust.Gateway.Certificates.List(ctx, query) (*SinglePage[GatewayCertificateListResponse], error)` **get** `/accounts/{account_id}/gateway/certificates` List all Zero Trust certificates for an account. ### Parameters - `query GatewayCertificateListParams` - `AccountID param.Field[string]` ### Returns - `type GatewayCertificateListResponse struct{…}` - `ID string` Identify the certificate with a UUID. - `BindingStatus GatewayCertificateListResponseBindingStatus` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `const GatewayCertificateListResponseBindingStatusPendingDeployment GatewayCertificateListResponseBindingStatus = "pending_deployment"` - `const GatewayCertificateListResponseBindingStatusAvailable GatewayCertificateListResponseBindingStatus = "available"` - `const GatewayCertificateListResponseBindingStatusPendingDeletion GatewayCertificateListResponseBindingStatus = "pending_deletion"` - `const GatewayCertificateListResponseBindingStatusInactive GatewayCertificateListResponseBindingStatus = "inactive"` - `Certificate string` Provide the CA certificate (read-only). - `CreatedAt Time` - `ExpiresOn Time` - `Fingerprint string` Provide the SHA256 fingerprint of the certificate (read-only). - `InUse bool` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `IssuerOrg string` Indicate the organization that issued the certificate (read-only). - `IssuerRaw string` Provide the entire issuer field of the certificate (read-only). - `Type GatewayCertificateListResponseType` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `const GatewayCertificateListResponseTypeCustom GatewayCertificateListResponseType = "custom"` - `const GatewayCertificateListResponseTypeGatewayManaged GatewayCertificateListResponseType = "gateway_managed"` - `UpdatedAt Time` - `UploadedOn Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Certificates.List(context.TODO(), zero_trust.GatewayCertificateListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust certificate details `client.ZeroTrust.Gateway.Certificates.Get(ctx, certificateID, query) (*GatewayCertificateGetResponse, error)` **get** `/accounts/{account_id}/gateway/certificates/{certificate_id}` Get a single Zero Trust certificate. ### Parameters - `certificateID string` Identify the certificate with a UUID. - `query GatewayCertificateGetParams` - `AccountID param.Field[string]` ### Returns - `type GatewayCertificateGetResponse struct{…}` - `ID string` Identify the certificate with a UUID. - `BindingStatus GatewayCertificateGetResponseBindingStatus` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `const GatewayCertificateGetResponseBindingStatusPendingDeployment GatewayCertificateGetResponseBindingStatus = "pending_deployment"` - `const GatewayCertificateGetResponseBindingStatusAvailable GatewayCertificateGetResponseBindingStatus = "available"` - `const GatewayCertificateGetResponseBindingStatusPendingDeletion GatewayCertificateGetResponseBindingStatus = "pending_deletion"` - `const GatewayCertificateGetResponseBindingStatusInactive GatewayCertificateGetResponseBindingStatus = "inactive"` - `Certificate string` Provide the CA certificate (read-only). - `CreatedAt Time` - `ExpiresOn Time` - `Fingerprint string` Provide the SHA256 fingerprint of the certificate (read-only). - `InUse bool` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `IssuerOrg string` Indicate the organization that issued the certificate (read-only). - `IssuerRaw string` Provide the entire issuer field of the certificate (read-only). - `Type GatewayCertificateGetResponseType` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `const GatewayCertificateGetResponseTypeCustom GatewayCertificateGetResponseType = "custom"` - `const GatewayCertificateGetResponseTypeGatewayManaged GatewayCertificateGetResponseType = "gateway_managed"` - `UpdatedAt Time` - `UploadedOn Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) certificate, err := client.ZeroTrust.Gateway.Certificates.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayCertificateGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", certificate.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Create Zero Trust certificate `client.ZeroTrust.Gateway.Certificates.New(ctx, params) (*GatewayCertificateNewResponse, error)` **post** `/accounts/{account_id}/gateway/certificates` Create a new Zero Trust certificate. ### Parameters - `params GatewayCertificateNewParams` - `AccountID param.Field[string]` Path param - `ValidityPeriodDays param.Field[int64]` Body param: Sets the certificate validity period in days (range: 1-10,950 days / ~30 years). Defaults to 1,825 days (5 years). **Important**: This field is only settable during the certificate creation. Certificates becomes immutable after creation - use the `/activate` and `/deactivate` endpoints to manage certificate lifecycle. ### Returns - `type GatewayCertificateNewResponse struct{…}` - `ID string` Identify the certificate with a UUID. - `BindingStatus GatewayCertificateNewResponseBindingStatus` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `const GatewayCertificateNewResponseBindingStatusPendingDeployment GatewayCertificateNewResponseBindingStatus = "pending_deployment"` - `const GatewayCertificateNewResponseBindingStatusAvailable GatewayCertificateNewResponseBindingStatus = "available"` - `const GatewayCertificateNewResponseBindingStatusPendingDeletion GatewayCertificateNewResponseBindingStatus = "pending_deletion"` - `const GatewayCertificateNewResponseBindingStatusInactive GatewayCertificateNewResponseBindingStatus = "inactive"` - `Certificate string` Provide the CA certificate (read-only). - `CreatedAt Time` - `ExpiresOn Time` - `Fingerprint string` Provide the SHA256 fingerprint of the certificate (read-only). - `InUse bool` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `IssuerOrg string` Indicate the organization that issued the certificate (read-only). - `IssuerRaw string` Provide the entire issuer field of the certificate (read-only). - `Type GatewayCertificateNewResponseType` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `const GatewayCertificateNewResponseTypeCustom GatewayCertificateNewResponseType = "custom"` - `const GatewayCertificateNewResponseTypeGatewayManaged GatewayCertificateNewResponseType = "gateway_managed"` - `UpdatedAt Time` - `UploadedOn Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) certificate, err := client.ZeroTrust.Gateway.Certificates.New(context.TODO(), zero_trust.GatewayCertificateNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", certificate.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete Zero Trust certificate `client.ZeroTrust.Gateway.Certificates.Delete(ctx, certificateID, body) (*GatewayCertificateDeleteResponse, error)` **delete** `/accounts/{account_id}/gateway/certificates/{certificate_id}` Delete a gateway-managed Zero Trust certificate. You must deactivate the certificate from the edge (inactive) before deleting it. ### Parameters - `certificateID string` Identify the certificate with a UUID. - `body GatewayCertificateDeleteParams` - `AccountID param.Field[string]` ### Returns - `type GatewayCertificateDeleteResponse struct{…}` - `ID string` Identify the certificate with a UUID. - `BindingStatus GatewayCertificateDeleteResponseBindingStatus` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `const GatewayCertificateDeleteResponseBindingStatusPendingDeployment GatewayCertificateDeleteResponseBindingStatus = "pending_deployment"` - `const GatewayCertificateDeleteResponseBindingStatusAvailable GatewayCertificateDeleteResponseBindingStatus = "available"` - `const GatewayCertificateDeleteResponseBindingStatusPendingDeletion GatewayCertificateDeleteResponseBindingStatus = "pending_deletion"` - `const GatewayCertificateDeleteResponseBindingStatusInactive GatewayCertificateDeleteResponseBindingStatus = "inactive"` - `Certificate string` Provide the CA certificate (read-only). - `CreatedAt Time` - `ExpiresOn Time` - `Fingerprint string` Provide the SHA256 fingerprint of the certificate (read-only). - `InUse bool` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `IssuerOrg string` Indicate the organization that issued the certificate (read-only). - `IssuerRaw string` Provide the entire issuer field of the certificate (read-only). - `Type GatewayCertificateDeleteResponseType` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `const GatewayCertificateDeleteResponseTypeCustom GatewayCertificateDeleteResponseType = "custom"` - `const GatewayCertificateDeleteResponseTypeGatewayManaged GatewayCertificateDeleteResponseType = "gateway_managed"` - `UpdatedAt Time` - `UploadedOn Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) certificate, err := client.ZeroTrust.Gateway.Certificates.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayCertificateDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", certificate.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Activate a Zero Trust certificate `client.ZeroTrust.Gateway.Certificates.Activate(ctx, certificateID, params) (*GatewayCertificateActivateResponse, error)` **post** `/accounts/{account_id}/gateway/certificates/{certificate_id}/activate` Bind a single Zero Trust certificate to the edge. ### Parameters - `certificateID string` Identify the certificate with a UUID. - `params GatewayCertificateActivateParams` - `AccountID param.Field[string]` Path param - `Body param.Field[unknown]` Body param ### Returns - `type GatewayCertificateActivateResponse struct{…}` - `ID string` Identify the certificate with a UUID. - `BindingStatus GatewayCertificateActivateResponseBindingStatus` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `const GatewayCertificateActivateResponseBindingStatusPendingDeployment GatewayCertificateActivateResponseBindingStatus = "pending_deployment"` - `const GatewayCertificateActivateResponseBindingStatusAvailable GatewayCertificateActivateResponseBindingStatus = "available"` - `const GatewayCertificateActivateResponseBindingStatusPendingDeletion GatewayCertificateActivateResponseBindingStatus = "pending_deletion"` - `const GatewayCertificateActivateResponseBindingStatusInactive GatewayCertificateActivateResponseBindingStatus = "inactive"` - `Certificate string` Provide the CA certificate (read-only). - `CreatedAt Time` - `ExpiresOn Time` - `Fingerprint string` Provide the SHA256 fingerprint of the certificate (read-only). - `InUse bool` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `IssuerOrg string` Indicate the organization that issued the certificate (read-only). - `IssuerRaw string` Provide the entire issuer field of the certificate (read-only). - `Type GatewayCertificateActivateResponseType` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `const GatewayCertificateActivateResponseTypeCustom GatewayCertificateActivateResponseType = "custom"` - `const GatewayCertificateActivateResponseTypeGatewayManaged GatewayCertificateActivateResponseType = "gateway_managed"` - `UpdatedAt Time` - `UploadedOn Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Gateway.Certificates.Activate( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayCertificateActivateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: map[string]interface{}{ }, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Deactivate a Zero Trust certificate `client.ZeroTrust.Gateway.Certificates.Deactivate(ctx, certificateID, params) (*GatewayCertificateDeactivateResponse, error)` **post** `/accounts/{account_id}/gateway/certificates/{certificate_id}/deactivate` Unbind a single Zero Trust certificate from the edge. ### Parameters - `certificateID string` Identify the certificate with a UUID. - `params GatewayCertificateDeactivateParams` - `AccountID param.Field[string]` Path param - `Body param.Field[unknown]` Body param ### Returns - `type GatewayCertificateDeactivateResponse struct{…}` - `ID string` Identify the certificate with a UUID. - `BindingStatus GatewayCertificateDeactivateResponseBindingStatus` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `const GatewayCertificateDeactivateResponseBindingStatusPendingDeployment GatewayCertificateDeactivateResponseBindingStatus = "pending_deployment"` - `const GatewayCertificateDeactivateResponseBindingStatusAvailable GatewayCertificateDeactivateResponseBindingStatus = "available"` - `const GatewayCertificateDeactivateResponseBindingStatusPendingDeletion GatewayCertificateDeactivateResponseBindingStatus = "pending_deletion"` - `const GatewayCertificateDeactivateResponseBindingStatusInactive GatewayCertificateDeactivateResponseBindingStatus = "inactive"` - `Certificate string` Provide the CA certificate (read-only). - `CreatedAt Time` - `ExpiresOn Time` - `Fingerprint string` Provide the SHA256 fingerprint of the certificate (read-only). - `InUse bool` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `IssuerOrg string` Indicate the organization that issued the certificate (read-only). - `IssuerRaw string` Provide the entire issuer field of the certificate (read-only). - `Type GatewayCertificateDeactivateResponseType` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `const GatewayCertificateDeactivateResponseTypeCustom GatewayCertificateDeactivateResponseType = "custom"` - `const GatewayCertificateDeactivateResponseTypeGatewayManaged GatewayCertificateDeactivateResponseType = "gateway_managed"` - `UpdatedAt Time` - `UploadedOn Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Gateway.Certificates.Deactivate( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayCertificateDeactivateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: map[string]interface{}{ }, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` # Pacfiles ## List PAC files `client.ZeroTrust.Gateway.Pacfiles.List(ctx, query) (*SinglePage[GatewayPacfileListResponse], error)` **get** `/accounts/{account_id}/gateway/pacfiles` List all Zero Trust Gateway PAC files for an account. ### Parameters - `query GatewayPacfileListParams` - `AccountID param.Field[string]` ### Returns - `type GatewayPacfileListResponse struct{…}` - `ID string` - `CreatedAt Time` - `Description string` Detailed description of the PAC file. - `Name string` Name of the PAC file. - `Slug string` URL-friendly version of the PAC file name. - `UpdatedAt Time` - `URL string` Unique URL to download the PAC file. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Pacfiles.List(context.TODO(), zero_trust.GatewayPacfileListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a PAC file `client.ZeroTrust.Gateway.Pacfiles.Get(ctx, pacfileID, query) (*GatewayPacfileGetResponse, error)` **get** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Get a single Zero Trust Gateway PAC file. ### Parameters - `pacfileID string` - `query GatewayPacfileGetParams` - `AccountID param.Field[string]` ### Returns - `type GatewayPacfileGetResponse struct{…}` - `ID string` - `Contents string` Actual contents of the PAC file - `CreatedAt Time` - `Description string` Detailed description of the PAC file. - `Name string` Name of the PAC file. - `Slug string` URL-friendly version of the PAC file name. - `UpdatedAt Time` - `URL string` Unique URL to download the PAC file. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) pacfile, err := client.ZeroTrust.Gateway.Pacfiles.Get( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayPacfileGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", pacfile.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Create a PAC file `client.ZeroTrust.Gateway.Pacfiles.New(ctx, params) (*GatewayPacfileNewResponse, error)` **post** `/accounts/{account_id}/gateway/pacfiles` Create a new Zero Trust Gateway PAC file. ### Parameters - `params GatewayPacfileNewParams` - `AccountID param.Field[string]` Path param - `Contents param.Field[string]` Body param: Actual contents of the PAC file - `Name param.Field[string]` Body param: Name of the PAC file. - `Description param.Field[string]` Body param: Detailed description of the PAC file. - `Slug param.Field[string]` Body param: URL-friendly version of the PAC file name. If not provided, it will be auto-generated ### Returns - `type GatewayPacfileNewResponse struct{…}` - `ID string` - `Contents string` Actual contents of the PAC file - `CreatedAt Time` - `Description string` Detailed description of the PAC file. - `Name string` Name of the PAC file. - `Slug string` URL-friendly version of the PAC file name. - `UpdatedAt Time` - `URL string` Unique URL to download the PAC file. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) pacfile, err := client.ZeroTrust.Gateway.Pacfiles.New(context.TODO(), zero_trust.GatewayPacfileNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Contents: cloudflare.F(`function FindProxyForURL(url, host) { return "DIRECT"; }`), Name: cloudflare.F("Devops team"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", pacfile.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Update a Zero Trust Gateway PAC file `client.ZeroTrust.Gateway.Pacfiles.Update(ctx, pacfileID, params) (*GatewayPacfileUpdateResponse, error)` **put** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Update a configured Zero Trust Gateway PAC file. ### Parameters - `pacfileID string` - `params GatewayPacfileUpdateParams` - `AccountID param.Field[string]` Path param - `Contents param.Field[string]` Body param: Actual contents of the PAC file - `Description param.Field[string]` Body param: Detailed description of the PAC file. - `Name param.Field[string]` Body param: Name of the PAC file. ### Returns - `type GatewayPacfileUpdateResponse struct{…}` - `ID string` - `Contents string` Actual contents of the PAC file - `CreatedAt Time` - `Description string` Detailed description of the PAC file. - `Name string` Name of the PAC file. - `Slug string` URL-friendly version of the PAC file name. - `UpdatedAt Time` - `URL string` Unique URL to download the PAC file. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) pacfile, err := client.ZeroTrust.Gateway.Pacfiles.Update( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayPacfileUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Contents: cloudflare.F(`function FindProxyForURL(url, host) { return "DIRECT"; }`), Description: cloudflare.F("PAC file for Devops team"), Name: cloudflare.F("Devops team"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", pacfile.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Delete a PAC file `client.ZeroTrust.Gateway.Pacfiles.Delete(ctx, pacfileID, body) (*GatewayPacfileDeleteResponse, error)` **delete** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Delete a configured Zero Trust Gateway PAC file. ### Parameters - `pacfileID string` - `body GatewayPacfileDeleteParams` - `AccountID param.Field[string]` ### Returns - `type GatewayPacfileDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) pacfile, err := client.ZeroTrust.Gateway.Pacfiles.Delete( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayPacfileDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", pacfile) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` # Networks # Routes ## List tunnel routes `client.ZeroTrust.Networks.Routes.List(ctx, params) (*V4PagePaginationArray[Teamnet], error)` **get** `/accounts/{account_id}/teamnet/routes` Lists and filters private network routes in an account. ### Parameters - `params NetworkRouteListParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Comment param.Field[string]` Query param: Optional remark describing the route. - `ExistedAt param.Field[string]` Query param: If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `IsDeleted param.Field[bool]` Query param: If `true`, only include deleted routes. If `false`, exclude deleted routes. If empty, all routes will be included. - `NetworkSubset param.Field[string]` Query param: If set, only list routes that are contained within this IP range. - `NetworkSuperset param.Field[string]` Query param: If set, only list routes that contain this IP range. - `Page param.Field[float64]` Query param: Page number of paginated results. - `PerPage param.Field[float64]` Query param: Number of results to display. - `RouteID param.Field[string]` Query param: UUID of the route. - `TunTypes param.Field[[]NetworkRouteListParamsTunType]` Query param: The types of tunnels to filter by, separated by commas. - `const NetworkRouteListParamsTunTypeCfdTunnel NetworkRouteListParamsTunType = "cfd_tunnel"` - `const NetworkRouteListParamsTunTypeWARPConnector NetworkRouteListParamsTunType = "warp_connector"` - `const NetworkRouteListParamsTunTypeWARP NetworkRouteListParamsTunType = "warp"` - `const NetworkRouteListParamsTunTypeMagic NetworkRouteListParamsTunType = "magic"` - `const NetworkRouteListParamsTunTypeIPSec NetworkRouteListParamsTunType = "ip_sec"` - `const NetworkRouteListParamsTunTypeGRE NetworkRouteListParamsTunType = "gre"` - `const NetworkRouteListParamsTunTypeCNI NetworkRouteListParamsTunType = "cni"` - `TunnelID param.Field[string]` Query param: UUID of the tunnel. - `VirtualNetworkID param.Field[string]` Query param: UUID of the virtual network. ### Returns - `type Teamnet struct{…}` - `ID string` UUID of the route. - `Comment string` Optional remark describing the route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Network string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunType TeamnetTunType` The type of tunnel. - `const TeamnetTunTypeCfdTunnel TeamnetTunType = "cfd_tunnel"` - `const TeamnetTunTypeWARPConnector TeamnetTunType = "warp_connector"` - `const TeamnetTunTypeWARP TeamnetTunType = "warp"` - `const TeamnetTunTypeMagic TeamnetTunType = "magic"` - `const TeamnetTunTypeIPSec TeamnetTunType = "ip_sec"` - `const TeamnetTunTypeGRE TeamnetTunType = "gre"` - `const TeamnetTunTypeCNI TeamnetTunType = "cni"` - `TunnelID string` UUID of the tunnel. - `TunnelName string` A user-friendly name for a tunnel. - `VirtualNetworkID string` UUID of the virtual network. - `VirtualNetworkName string` A user-friendly name for the virtual network. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Networks.Routes.List(context.TODO(), zero_trust.NetworkRouteListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tun_type": "cfd_tunnel", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "blog", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_name": "us-east-1-vpc" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get tunnel route `client.ZeroTrust.Networks.Routes.Get(ctx, routeID, query) (*Route, error)` **get** `/accounts/{account_id}/teamnet/routes/{route_id}` Get a private network route in an account. ### Parameters - `routeID string` UUID of the route. - `query NetworkRouteGetParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type Route struct{…}` - `ID string` UUID of the route. - `Comment string` Optional remark describing the route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Network string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunnelID string` UUID of the tunnel. - `VirtualNetworkID string` UUID of the virtual network. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) route, err := client.ZeroTrust.Networks.Routes.Get( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.NetworkRouteGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", route.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Create a tunnel route `client.ZeroTrust.Networks.Routes.New(ctx, params) (*Route, error)` **post** `/accounts/{account_id}/teamnet/routes` Routes a private network through a Cloudflare Tunnel. ### Parameters - `params NetworkRouteNewParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Network param.Field[string]` Body param: The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunnelID param.Field[string]` Body param: UUID of the tunnel. - `Comment param.Field[string]` Body param: Optional remark describing the route. - `VirtualNetworkID param.Field[string]` Body param: UUID of the virtual network. ### Returns - `type Route struct{…}` - `ID string` UUID of the route. - `Comment string` Optional remark describing the route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Network string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunnelID string` UUID of the tunnel. - `VirtualNetworkID string` UUID of the virtual network. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) route, err := client.ZeroTrust.Networks.Routes.New(context.TODO(), zero_trust.NetworkRouteNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Network: cloudflare.F("172.16.0.0/16"), TunnelID: cloudflare.F("f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", route.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Update a tunnel route `client.ZeroTrust.Networks.Routes.Edit(ctx, routeID, params) (*Route, error)` **patch** `/accounts/{account_id}/teamnet/routes/{route_id}` Updates an existing private network route in an account. The fields that are meant to be updated should be provided in the body of the request. ### Parameters - `routeID string` UUID of the route. - `params NetworkRouteEditParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Comment param.Field[string]` Body param: Optional remark describing the route. - `Network param.Field[string]` Body param: The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunnelID param.Field[string]` Body param: UUID of the tunnel. - `VirtualNetworkID param.Field[string]` Body param: UUID of the virtual network. ### Returns - `type Route struct{…}` - `ID string` UUID of the route. - `Comment string` Optional remark describing the route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Network string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunnelID string` UUID of the tunnel. - `VirtualNetworkID string` UUID of the virtual network. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) route, err := client.ZeroTrust.Networks.Routes.Edit( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.NetworkRouteEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", route.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Delete a tunnel route `client.ZeroTrust.Networks.Routes.Delete(ctx, routeID, body) (*Route, error)` **delete** `/accounts/{account_id}/teamnet/routes/{route_id}` Deletes a private network route from an account. ### Parameters - `routeID string` UUID of the route. - `body NetworkRouteDeleteParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type Route struct{…}` - `ID string` UUID of the route. - `Comment string` Optional remark describing the route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Network string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunnelID string` UUID of the tunnel. - `VirtualNetworkID string` UUID of the virtual network. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) route, err := client.ZeroTrust.Networks.Routes.Delete( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.NetworkRouteDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", route.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Domain Types ### Network Route - `type NetworkRoute struct{…}` - `ID string` UUID of the route. - `Comment string` Optional remark describing the route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Network string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunnelID string` UUID of the tunnel. - `VirtualNetworkID string` UUID of the virtual network. ### Route - `type Route struct{…}` - `ID string` UUID of the route. - `Comment string` Optional remark describing the route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Network string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunnelID string` UUID of the tunnel. - `VirtualNetworkID string` UUID of the virtual network. ### Teamnet - `type Teamnet struct{…}` - `ID string` UUID of the route. - `Comment string` Optional remark describing the route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Network string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunType TeamnetTunType` The type of tunnel. - `const TeamnetTunTypeCfdTunnel TeamnetTunType = "cfd_tunnel"` - `const TeamnetTunTypeWARPConnector TeamnetTunType = "warp_connector"` - `const TeamnetTunTypeWARP TeamnetTunType = "warp"` - `const TeamnetTunTypeMagic TeamnetTunType = "magic"` - `const TeamnetTunTypeIPSec TeamnetTunType = "ip_sec"` - `const TeamnetTunTypeGRE TeamnetTunType = "gre"` - `const TeamnetTunTypeCNI TeamnetTunType = "cni"` - `TunnelID string` UUID of the tunnel. - `TunnelName string` A user-friendly name for a tunnel. - `VirtualNetworkID string` UUID of the virtual network. - `VirtualNetworkName string` A user-friendly name for the virtual network. # IPs ## Get tunnel route by IP `client.ZeroTrust.Networks.Routes.IPs.Get(ctx, ip, params) (*Teamnet, error)` **get** `/accounts/{account_id}/teamnet/routes/ip/{ip}` Fetches routes that contain the given IP address. ### Parameters - `ip string` - `params NetworkRouteIPGetParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `DefaultVirtualNetworkFallback param.Field[bool]` Query param: When the virtual_network_id parameter is not provided the request filter will default search routes that are in the default virtual network for the account. If this parameter is set to false, the search will include routes that do not have a virtual network. - `VirtualNetworkID param.Field[string]` Query param: UUID of the virtual network. ### Returns - `type Teamnet struct{…}` - `ID string` UUID of the route. - `Comment string` Optional remark describing the route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Network string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunType TeamnetTunType` The type of tunnel. - `const TeamnetTunTypeCfdTunnel TeamnetTunType = "cfd_tunnel"` - `const TeamnetTunTypeWARPConnector TeamnetTunType = "warp_connector"` - `const TeamnetTunTypeWARP TeamnetTunType = "warp"` - `const TeamnetTunTypeMagic TeamnetTunType = "magic"` - `const TeamnetTunTypeIPSec TeamnetTunType = "ip_sec"` - `const TeamnetTunTypeGRE TeamnetTunType = "gre"` - `const TeamnetTunTypeCNI TeamnetTunType = "cni"` - `TunnelID string` UUID of the tunnel. - `TunnelName string` A user-friendly name for a tunnel. - `VirtualNetworkID string` UUID of the virtual network. - `VirtualNetworkName string` A user-friendly name for the virtual network. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) teamnet, err := client.ZeroTrust.Networks.Routes.IPs.Get( context.TODO(), "10.1.0.137", zero_trust.NetworkRouteIPGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", teamnet.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tun_type": "cfd_tunnel", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "blog", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_name": "us-east-1-vpc" }, "success": true } ``` # Networks ## Create a tunnel route (CIDR Endpoint) `client.ZeroTrust.Networks.Routes.Networks.New(ctx, ipNetworkEncoded, params) (*Route, error)` **post** `/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}` Routes a private network through a Cloudflare Tunnel. The CIDR in `ip_network_encoded` must be written in URL-encoded format. ### Parameters - `ipNetworkEncoded string` IP/CIDR range in URL-encoded format - `params NetworkRouteNetworkNewParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `TunnelID param.Field[string]` Body param: UUID of the tunnel. - `Comment param.Field[string]` Body param: Optional remark describing the route. - `VirtualNetworkID param.Field[string]` Body param: UUID of the virtual network. ### Returns - `type Route struct{…}` - `ID string` UUID of the route. - `Comment string` Optional remark describing the route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Network string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunnelID string` UUID of the tunnel. - `VirtualNetworkID string` UUID of the virtual network. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) route, err := client.ZeroTrust.Networks.Routes.Networks.New( context.TODO(), "172.16.0.0%2F16", zero_trust.NetworkRouteNetworkNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), TunnelID: cloudflare.F("f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", route.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Update a tunnel route (CIDR Endpoint) `client.ZeroTrust.Networks.Routes.Networks.Edit(ctx, ipNetworkEncoded, body) (*Route, error)` **patch** `/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}` Updates an existing private network route in an account. The CIDR in `ip_network_encoded` must be written in URL-encoded format. ### Parameters - `ipNetworkEncoded string` IP/CIDR range in URL-encoded format - `body NetworkRouteNetworkEditParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type Route struct{…}` - `ID string` UUID of the route. - `Comment string` Optional remark describing the route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Network string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunnelID string` UUID of the tunnel. - `VirtualNetworkID string` UUID of the virtual network. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) route, err := client.ZeroTrust.Networks.Routes.Networks.Edit( context.TODO(), "172.16.0.0%2F16", zero_trust.NetworkRouteNetworkEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", route.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Delete a tunnel route (CIDR Endpoint) `client.ZeroTrust.Networks.Routes.Networks.Delete(ctx, ipNetworkEncoded, params) (*Route, error)` **delete** `/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}` Deletes a private network route from an account. The CIDR in `ip_network_encoded` must be written in URL-encoded format. If no virtual_network_id is provided it will delete the route from the default vnet. If no tun_type is provided it will fetch the type from the tunnel_id or if that is missing it will assume Cloudflare Tunnel as default. If tunnel_id is provided it will delete the route from that tunnel, otherwise it will delete the route based on the vnet and tun_type. ### Parameters - `ipNetworkEncoded string` IP/CIDR range in URL-encoded format - `params NetworkRouteNetworkDeleteParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `TunType param.Field[NetworkRouteNetworkDeleteParamsTunType]` Query param: The type of tunnel. - `const NetworkRouteNetworkDeleteParamsTunTypeCfdTunnel NetworkRouteNetworkDeleteParamsTunType = "cfd_tunnel"` - `const NetworkRouteNetworkDeleteParamsTunTypeWARPConnector NetworkRouteNetworkDeleteParamsTunType = "warp_connector"` - `const NetworkRouteNetworkDeleteParamsTunTypeWARP NetworkRouteNetworkDeleteParamsTunType = "warp"` - `const NetworkRouteNetworkDeleteParamsTunTypeMagic NetworkRouteNetworkDeleteParamsTunType = "magic"` - `const NetworkRouteNetworkDeleteParamsTunTypeIPSec NetworkRouteNetworkDeleteParamsTunType = "ip_sec"` - `const NetworkRouteNetworkDeleteParamsTunTypeGRE NetworkRouteNetworkDeleteParamsTunType = "gre"` - `const NetworkRouteNetworkDeleteParamsTunTypeCNI NetworkRouteNetworkDeleteParamsTunType = "cni"` - `TunnelID param.Field[string]` Query param: UUID of the tunnel. - `VirtualNetworkID param.Field[string]` Query param: UUID of the virtual network. ### Returns - `type Route struct{…}` - `ID string` UUID of the route. - `Comment string` Optional remark describing the route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Network string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `TunnelID string` UUID of the tunnel. - `VirtualNetworkID string` UUID of the virtual network. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) route, err := client.ZeroTrust.Networks.Routes.Networks.Delete( context.TODO(), "172.16.0.0%2F16", zero_trust.NetworkRouteNetworkDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", route.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` # Virtual Networks ## List virtual networks `client.ZeroTrust.Networks.VirtualNetworks.List(ctx, params) (*SinglePage[VirtualNetwork], error)` **get** `/accounts/{account_id}/teamnet/virtual_networks` Lists and filters virtual networks in an account. ### Parameters - `params NetworkVirtualNetworkListParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `ID param.Field[string]` Query param: UUID of the virtual network. - `IsDefault param.Field[bool]` Query param: If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. - `IsDefaultNetwork param.Field[bool]` Query param: If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. - `IsDeleted param.Field[bool]` Query param: If `true`, only include deleted virtual networks. If `false`, exclude deleted virtual networks. If empty, all virtual networks will be included. - `Name param.Field[string]` Query param: A user-friendly name for the virtual network. ### Returns - `type VirtualNetwork struct{…}` - `ID string` UUID of the virtual network. - `Comment string` Optional remark describing the virtual network. - `CreatedAt Time` Timestamp of when the resource was created. - `IsDefaultNetwork bool` If `true`, this virtual network is the default for the account. - `Name string` A user-friendly name for the virtual network. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Networks.VirtualNetworks.List(context.TODO(), zero_trust.NetworkVirtualNetworkListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a virtual network `client.ZeroTrust.Networks.VirtualNetworks.Get(ctx, virtualNetworkID, query) (*VirtualNetwork, error)` **get** `/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}` Get a virtual network. ### Parameters - `virtualNetworkID string` UUID of the virtual network. - `query NetworkVirtualNetworkGetParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type VirtualNetwork struct{…}` - `ID string` UUID of the virtual network. - `Comment string` Optional remark describing the virtual network. - `CreatedAt Time` Timestamp of when the resource was created. - `IsDefaultNetwork bool` If `true`, this virtual network is the default for the account. - `Name string` A user-friendly name for the virtual network. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) virtualNetwork, err := client.ZeroTrust.Networks.VirtualNetworks.Get( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.NetworkVirtualNetworkGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", virtualNetwork.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Create a virtual network `client.ZeroTrust.Networks.VirtualNetworks.New(ctx, params) (*VirtualNetwork, error)` **post** `/accounts/{account_id}/teamnet/virtual_networks` Adds a new virtual network to an account. ### Parameters - `params NetworkVirtualNetworkNewParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Name param.Field[string]` Body param: A user-friendly name for the virtual network. - `Comment param.Field[string]` Body param: Optional remark describing the virtual network. - `IsDefault param.Field[bool]` Body param: If `true`, this virtual network is the default for the account. - `IsDefaultNetwork param.Field[bool]` Body param: If `true`, this virtual network is the default for the account. ### Returns - `type VirtualNetwork struct{…}` - `ID string` UUID of the virtual network. - `Comment string` Optional remark describing the virtual network. - `CreatedAt Time` Timestamp of when the resource was created. - `IsDefaultNetwork bool` If `true`, this virtual network is the default for the account. - `Name string` A user-friendly name for the virtual network. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) virtualNetwork, err := client.ZeroTrust.Networks.VirtualNetworks.New(context.TODO(), zero_trust.NetworkVirtualNetworkNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("us-east-1-vpc"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", virtualNetwork.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Update a virtual network `client.ZeroTrust.Networks.VirtualNetworks.Edit(ctx, virtualNetworkID, params) (*VirtualNetwork, error)` **patch** `/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}` Updates an existing virtual network. ### Parameters - `virtualNetworkID string` UUID of the virtual network. - `params NetworkVirtualNetworkEditParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Comment param.Field[string]` Body param: Optional remark describing the virtual network. - `IsDefaultNetwork param.Field[bool]` Body param: If `true`, this virtual network is the default for the account. - `Name param.Field[string]` Body param: A user-friendly name for the virtual network. ### Returns - `type VirtualNetwork struct{…}` - `ID string` UUID of the virtual network. - `Comment string` Optional remark describing the virtual network. - `CreatedAt Time` Timestamp of when the resource was created. - `IsDefaultNetwork bool` If `true`, this virtual network is the default for the account. - `Name string` A user-friendly name for the virtual network. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) virtualNetwork, err := client.ZeroTrust.Networks.VirtualNetworks.Edit( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.NetworkVirtualNetworkEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", virtualNetwork.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Delete a virtual network `client.ZeroTrust.Networks.VirtualNetworks.Delete(ctx, virtualNetworkID, body) (*VirtualNetwork, error)` **delete** `/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}` Deletes an existing virtual network. ### Parameters - `virtualNetworkID string` UUID of the virtual network. - `body NetworkVirtualNetworkDeleteParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type VirtualNetwork struct{…}` - `ID string` UUID of the virtual network. - `Comment string` Optional remark describing the virtual network. - `CreatedAt Time` Timestamp of when the resource was created. - `IsDefaultNetwork bool` If `true`, this virtual network is the default for the account. - `Name string` A user-friendly name for the virtual network. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) virtualNetwork, err := client.ZeroTrust.Networks.VirtualNetworks.Delete( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.NetworkVirtualNetworkDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", virtualNetwork.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Domain Types ### Virtual Network - `type VirtualNetwork struct{…}` - `ID string` UUID of the virtual network. - `Comment string` Optional remark describing the virtual network. - `CreatedAt Time` Timestamp of when the resource was created. - `IsDefaultNetwork bool` If `true`, this virtual network is the default for the account. - `Name string` A user-friendly name for the virtual network. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. # Subnets ## List Subnets `client.ZeroTrust.Networks.Subnets.List(ctx, params) (*V4PagePaginationArray[Subnet], error)` **get** `/accounts/{account_id}/zerotrust/subnets` Lists and filters subnets in an account. ### Parameters - `params NetworkSubnetListParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `AddressFamily param.Field[NetworkSubnetListParamsAddressFamily]` Query param: If set, only include subnets in the given address family - `v4` or `v6` - `const NetworkSubnetListParamsAddressFamilyV4 NetworkSubnetListParamsAddressFamily = "v4"` - `const NetworkSubnetListParamsAddressFamilyV6 NetworkSubnetListParamsAddressFamily = "v6"` - `Comment param.Field[string]` Query param: If set, only list subnets with the given comment. - `ExistedAt param.Field[string]` Query param: If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `IsDefaultNetwork param.Field[bool]` Query param: If `true`, only include default subnets. If `false`, exclude default subnets subnets. If not set, all subnets will be included. - `IsDeleted param.Field[bool]` Query param: If `true`, only include deleted subnets. If `false`, exclude deleted subnets. If not set, all subnets will be included. - `Name param.Field[string]` Query param: If set, only list subnets with the given name - `Network param.Field[string]` Query param: If set, only list the subnet whose network exactly matches the given CIDR. - `Page param.Field[float64]` Query param: Page number of paginated results. - `PerPage param.Field[float64]` Query param: Number of results to display. - `SortOrder param.Field[NetworkSubnetListParamsSortOrder]` Query param: Sort order of the results. `asc` means oldest to newest, `desc` means newest to oldest. If not set, they will not be in any particular order. - `const NetworkSubnetListParamsSortOrderAsc NetworkSubnetListParamsSortOrder = "asc"` - `const NetworkSubnetListParamsSortOrderDesc NetworkSubnetListParamsSortOrder = "desc"` - `SubnetTypes param.Field[NetworkSubnetListParamsSubnetTypes]` Query param: If set, the types of subnets to include, separated by comma. - `const NetworkSubnetListParamsSubnetTypesCloudflareSource NetworkSubnetListParamsSubnetTypes = "cloudflare_source"` - `const NetworkSubnetListParamsSubnetTypesWARP NetworkSubnetListParamsSubnetTypes = "warp"` ### Returns - `type Subnet struct{…}` - `ID string` The UUID of the subnet. - `Comment string` An optional description of the subnet. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `IsDefaultNetwork bool` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `Name string` A user-friendly name for the subnet. - `Network string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `SubnetType SubnetSubnetType` The type of subnet. - `const SubnetSubnetTypeCloudflareSource SubnetSubnetType = "cloudflare_source"` - `const SubnetSubnetTypeWARP SubnetSubnetType = "warp"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Networks.Subnets.List(context.TODO(), zero_trust.NetworkSubnetListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # WARP ## Create WARP IP subnet `client.ZeroTrust.Networks.Subnets.WARP.New(ctx, params) (*Subnet, error)` **post** `/accounts/{account_id}/zerotrust/subnets/warp` Create a WARP IP assignment subnet. Currently, only IPv4 subnets can be created. **Network constraints:** - The network must be within one of the following private IP ranges: - `10.0.0.0/8` (RFC 1918) - `172.16.0.0/12` (RFC 1918) - `192.168.0.0/16` (RFC 1918) - `100.64.0.0/10` (RFC 6598 - CGNAT) - The subnet must have a prefix length of `/24` or larger (e.g., `/16`, `/20`, `/24` are valid; `/25`, `/28` are not) ### Parameters - `params NetworkSubnetWARPNewParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Name param.Field[string]` Body param: A user-friendly name for the subnet. - `Network param.Field[string]` Body param: The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `Comment param.Field[string]` Body param: An optional description of the subnet. - `IsDefaultNetwork param.Field[bool]` Body param: If `true`, this is the default subnet for the account. There can only be one default subnet per account. ### Returns - `type Subnet struct{…}` - `ID string` The UUID of the subnet. - `Comment string` An optional description of the subnet. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `IsDefaultNetwork bool` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `Name string` A user-friendly name for the subnet. - `Network string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `SubnetType SubnetSubnetType` The type of subnet. - `const SubnetSubnetTypeCloudflareSource SubnetSubnetType = "cloudflare_source"` - `const SubnetSubnetTypeWARP SubnetSubnetType = "warp"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) subnet, err := client.ZeroTrust.Networks.Subnets.WARP.New(context.TODO(), zero_trust.NetworkSubnetWARPNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("IPv4 Cloudflare Source IPs"), Network: cloudflare.F("100.64.0.0/12"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", subnet.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Get WARP IP subnet `client.ZeroTrust.Networks.Subnets.WARP.Get(ctx, subnetID, query) (*Subnet, error)` **get** `/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}` Get a WARP IP assignment subnet. ### Parameters - `subnetID string` The UUID of the subnet. - `query NetworkSubnetWARPGetParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type Subnet struct{…}` - `ID string` The UUID of the subnet. - `Comment string` An optional description of the subnet. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `IsDefaultNetwork bool` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `Name string` A user-friendly name for the subnet. - `Network string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `SubnetType SubnetSubnetType` The type of subnet. - `const SubnetSubnetTypeCloudflareSource SubnetSubnetType = "cloudflare_source"` - `const SubnetSubnetTypeWARP SubnetSubnetType = "warp"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) subnet, err := client.ZeroTrust.Networks.Subnets.WARP.Get( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.NetworkSubnetWARPGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", subnet.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Update WARP IP subnet `client.ZeroTrust.Networks.Subnets.WARP.Edit(ctx, subnetID, params) (*Subnet, error)` **patch** `/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}` Updates a WARP IP assignment subnet. **Update constraints:** - The `network` field cannot be modified for WARP subnets. Only `name`, `comment`, and `is_default_network` can be updated. - IPv6 subnets cannot be updated ### Parameters - `subnetID string` The UUID of the subnet. - `params NetworkSubnetWARPEditParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Comment param.Field[string]` Body param: An optional description of the subnet. - `IsDefaultNetwork param.Field[bool]` Body param: If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `Name param.Field[string]` Body param: A user-friendly name for the subnet. - `Network param.Field[string]` Body param: The private IPv4 or IPv6 range defining the subnet, in CIDR notation. ### Returns - `type Subnet struct{…}` - `ID string` The UUID of the subnet. - `Comment string` An optional description of the subnet. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `IsDefaultNetwork bool` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `Name string` A user-friendly name for the subnet. - `Network string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `SubnetType SubnetSubnetType` The type of subnet. - `const SubnetSubnetTypeCloudflareSource SubnetSubnetType = "cloudflare_source"` - `const SubnetSubnetTypeWARP SubnetSubnetType = "warp"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) subnet, err := client.ZeroTrust.Networks.Subnets.WARP.Edit( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.NetworkSubnetWARPEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", subnet.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Delete WARP IP subnet `client.ZeroTrust.Networks.Subnets.WARP.Delete(ctx, subnetID, body) (*NetworkSubnetWARPDeleteResponse, error)` **delete** `/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}` Delete a WARP IP assignment subnet. This operation is idempotent - deleting an already-deleted or non-existent subnet will return success with a null result. ### Parameters - `subnetID string` The UUID of the subnet. - `body NetworkSubnetWARPDeleteParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type NetworkSubnetWARPDeleteResponse struct{…}` - `ID string` The UUID of the subnet. - `Comment string` An optional description of the subnet. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `IsDefaultNetwork bool` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `Name string` A user-friendly name for the subnet. - `Network string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `SubnetType NetworkSubnetWARPDeleteResponseSubnetType` The type of subnet. - `const NetworkSubnetWARPDeleteResponseSubnetTypeCloudflareSource NetworkSubnetWARPDeleteResponseSubnetType = "cloudflare_source"` - `const NetworkSubnetWARPDeleteResponseSubnetTypeWARP NetworkSubnetWARPDeleteResponseSubnetType = "warp"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) warp, err := client.ZeroTrust.Networks.Subnets.WARP.Delete( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.NetworkSubnetWARPDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", warp.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Domain Types ### Subnet - `type Subnet struct{…}` - `ID string` The UUID of the subnet. - `Comment string` An optional description of the subnet. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `IsDefaultNetwork bool` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `Name string` A user-friendly name for the subnet. - `Network string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `SubnetType SubnetSubnetType` The type of subnet. - `const SubnetSubnetTypeCloudflareSource SubnetSubnetType = "cloudflare_source"` - `const SubnetSubnetTypeWARP SubnetSubnetType = "warp"` # Cloudflare Source ## Update Cloudflare Source Subnet `client.ZeroTrust.Networks.Subnets.CloudflareSource.Update(ctx, addressFamily, params) (*Subnet, error)` **patch** `/accounts/{account_id}/zerotrust/subnets/cloudflare_source/{address_family}` Updates the Cloudflare Source subnet of the given address family ### Parameters - `addressFamily NetworkSubnetCloudflareSourceUpdateParamsAddressFamily` IP address family, either `v4` (IPv4) or `v6` (IPv6) - `const NetworkSubnetCloudflareSourceUpdateParamsAddressFamilyV4 NetworkSubnetCloudflareSourceUpdateParamsAddressFamily = "v4"` - `const NetworkSubnetCloudflareSourceUpdateParamsAddressFamilyV6 NetworkSubnetCloudflareSourceUpdateParamsAddressFamily = "v6"` - `params NetworkSubnetCloudflareSourceUpdateParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Comment param.Field[string]` Body param: An optional description of the subnet. - `Name param.Field[string]` Body param: A user-friendly name for the subnet. - `Network param.Field[string]` Body param: The private IPv4 or IPv6 range defining the subnet, in CIDR notation. ### Returns - `type Subnet struct{…}` - `ID string` The UUID of the subnet. - `Comment string` An optional description of the subnet. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `IsDefaultNetwork bool` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `Name string` A user-friendly name for the subnet. - `Network string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `SubnetType SubnetSubnetType` The type of subnet. - `const SubnetSubnetTypeCloudflareSource SubnetSubnetType = "cloudflare_source"` - `const SubnetSubnetTypeWARP SubnetSubnetType = "warp"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) subnet, err := client.ZeroTrust.Networks.Subnets.CloudflareSource.Update( context.TODO(), zero_trust.NetworkSubnetCloudflareSourceUpdateParamsAddressFamilyV4, zero_trust.NetworkSubnetCloudflareSourceUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", subnet.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` # Hostname Routes ## List hostname routes `client.ZeroTrust.Networks.HostnameRoutes.List(ctx, params) (*V4PagePaginationArray[HostnameRoute], error)` **get** `/accounts/{account_id}/zerotrust/routes/hostname` Lists and filters hostname routes in an account. ### Parameters - `params NetworkHostnameRouteListParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `ID param.Field[string]` Query param: The hostname route ID. - `Comment param.Field[string]` Query param: If set, only list hostname routes with the given comment. - `ExistedAt param.Field[string]` Query param: If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `Hostname param.Field[string]` Query param: If set, only list hostname routes that contain a substring of the given value, the filter is case-insensitive. - `IsDeleted param.Field[bool]` Query param: If `true`, only return deleted hostname routes. If `false`, exclude deleted hostname routes. - `Page param.Field[float64]` Query param: Page number of paginated results. - `PerPage param.Field[float64]` Query param: Number of results to display. - `TunnelID param.Field[string]` Query param: If set, only list hostname routes that point to a specific tunnel. ### Returns - `type HostnameRoute struct{…}` - `ID string` The hostname route ID. - `Comment string` An optional description of the hostname route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Hostname string` The hostname of the route. - `TunnelID string` UUID of the tunnel. - `TunnelName string` A user-friendly name for a tunnel. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Networks.HostnameRoutes.List(context.TODO(), zero_trust.NetworkHostnameRouteListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get hostname route `client.ZeroTrust.Networks.HostnameRoutes.Get(ctx, hostnameRouteID, query) (*HostnameRoute, error)` **get** `/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}` Get a hostname route. ### Parameters - `hostnameRouteID string` The hostname route ID. - `query NetworkHostnameRouteGetParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type HostnameRoute struct{…}` - `ID string` The hostname route ID. - `Comment string` An optional description of the hostname route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Hostname string` The hostname of the route. - `TunnelID string` UUID of the tunnel. - `TunnelName string` A user-friendly name for a tunnel. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) hostnameRoute, err := client.ZeroTrust.Networks.HostnameRoutes.Get( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.NetworkHostnameRouteGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", hostnameRoute.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Create hostname route `client.ZeroTrust.Networks.HostnameRoutes.New(ctx, params) (*HostnameRoute, error)` **post** `/accounts/{account_id}/zerotrust/routes/hostname` Create a hostname route. ### Parameters - `params NetworkHostnameRouteNewParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Comment param.Field[string]` Body param: An optional description of the hostname route. - `Hostname param.Field[string]` Body param: The hostname of the route. - `TunnelID param.Field[string]` Body param: UUID of the tunnel. ### Returns - `type HostnameRoute struct{…}` - `ID string` The hostname route ID. - `Comment string` An optional description of the hostname route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Hostname string` The hostname of the route. - `TunnelID string` UUID of the tunnel. - `TunnelName string` A user-friendly name for a tunnel. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) hostnameRoute, err := client.ZeroTrust.Networks.HostnameRoutes.New(context.TODO(), zero_trust.NetworkHostnameRouteNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", hostnameRoute.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Update hostname route `client.ZeroTrust.Networks.HostnameRoutes.Edit(ctx, hostnameRouteID, params) (*HostnameRoute, error)` **patch** `/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}` Updates a hostname route. ### Parameters - `hostnameRouteID string` The hostname route ID. - `params NetworkHostnameRouteEditParams` - `AccountID param.Field[string]` Path param: Cloudflare account ID - `Comment param.Field[string]` Body param: An optional description of the hostname route. - `Hostname param.Field[string]` Body param: The hostname of the route. - `TunnelID param.Field[string]` Body param: UUID of the tunnel. ### Returns - `type HostnameRoute struct{…}` - `ID string` The hostname route ID. - `Comment string` An optional description of the hostname route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Hostname string` The hostname of the route. - `TunnelID string` UUID of the tunnel. - `TunnelName string` A user-friendly name for a tunnel. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) hostnameRoute, err := client.ZeroTrust.Networks.HostnameRoutes.Edit( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.NetworkHostnameRouteEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", hostnameRoute.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Delete hostname route `client.ZeroTrust.Networks.HostnameRoutes.Delete(ctx, hostnameRouteID, body) (*HostnameRoute, error)` **delete** `/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}` Delete a hostname route. ### Parameters - `hostnameRouteID string` The hostname route ID. - `body NetworkHostnameRouteDeleteParams` - `AccountID param.Field[string]` Cloudflare account ID ### Returns - `type HostnameRoute struct{…}` - `ID string` The hostname route ID. - `Comment string` An optional description of the hostname route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Hostname string` The hostname of the route. - `TunnelID string` UUID of the tunnel. - `TunnelName string` A user-friendly name for a tunnel. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) hostnameRoute, err := client.ZeroTrust.Networks.HostnameRoutes.Delete( context.TODO(), "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", zero_trust.NetworkHostnameRouteDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", hostnameRoute.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Domain Types ### Hostname Route - `type HostnameRoute struct{…}` - `ID string` The hostname route ID. - `Comment string` An optional description of the hostname route. - `CreatedAt Time` Timestamp of when the resource was created. - `DeletedAt Time` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `Hostname string` The hostname of the route. - `TunnelID string` UUID of the tunnel. - `TunnelName string` A user-friendly name for a tunnel. # Risk Scoring ## Get risk event/score information for a specific user `client.ZeroTrust.RiskScoring.Get(ctx, userID, query) (*RiskScoringGetResponse, error)` **get** `/accounts/{account_id}/zt_risk_scoring/{user_id}` Retrieves the detailed risk score breakdown for a specific user, including contributing factors. ### Parameters - `userID string` - `query RiskScoringGetParams` - `AccountID param.Field[string]` ### Returns - `type RiskScoringGetResponse struct{…}` - `Email string` - `Events []RiskScoringGetResponseEvent` - `ID string` - `Name string` - `RiskLevel RiskScoringGetResponseEventsRiskLevel` - `const RiskScoringGetResponseEventsRiskLevelLow RiskScoringGetResponseEventsRiskLevel = "low"` - `const RiskScoringGetResponseEventsRiskLevelMedium RiskScoringGetResponseEventsRiskLevel = "medium"` - `const RiskScoringGetResponseEventsRiskLevelHigh RiskScoringGetResponseEventsRiskLevel = "high"` - `Timestamp Time` - `EventDetails unknown` - `Name string` - `LastResetTime Time` - `RiskLevel RiskScoringGetResponseRiskLevel` - `const RiskScoringGetResponseRiskLevelLow RiskScoringGetResponseRiskLevel = "low"` - `const RiskScoringGetResponseRiskLevelMedium RiskScoringGetResponseRiskLevel = "medium"` - `const RiskScoringGetResponseRiskLevelHigh RiskScoringGetResponseRiskLevel = "high"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) riskScoring, err := client.ZeroTrust.RiskScoring.Get( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.RiskScoringGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", riskScoring.Email) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "email": "email", "events": [ { "id": "id", "name": "name", "risk_level": "low", "timestamp": "2019-12-27T18:11:19.117Z", "event_details": {} } ], "name": "name", "last_reset_time": "2019-12-27T18:11:19.117Z", "risk_level": "low" }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Clear the risk score for a particular user `client.ZeroTrust.RiskScoring.Reset(ctx, userID, body) (*RiskScoringResetResponse, error)` **post** `/accounts/{account_id}/zt_risk_scoring/{user_id}/reset` Resets risk scores for specified users, clearing their accumulated risk history. ### Parameters - `userID string` - `body RiskScoringResetParams` - `AccountID param.Field[string]` ### Returns - `type RiskScoringResetResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.RiskScoring.Reset( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.RiskScoringResetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` # Behaviours ## Get all behaviors and associated configuration `client.ZeroTrust.RiskScoring.Behaviours.Get(ctx, query) (*RiskScoringBehaviourGetResponse, error)` **get** `/accounts/{account_id}/zt_risk_scoring/behaviors` Retrieves configured risk score behaviors that define how user actions affect their overall risk score. ### Parameters - `query RiskScoringBehaviourGetParams` - `AccountID param.Field[string]` ### Returns - `type RiskScoringBehaviourGetResponse struct{…}` - `Behaviors map[string, RiskScoringBehaviourGetResponseBehavior]` - `Description string` - `Enabled bool` - `Name string` - `RiskLevel RiskScoringBehaviourGetResponseBehaviorsRiskLevel` - `const RiskScoringBehaviourGetResponseBehaviorsRiskLevelLow RiskScoringBehaviourGetResponseBehaviorsRiskLevel = "low"` - `const RiskScoringBehaviourGetResponseBehaviorsRiskLevelMedium RiskScoringBehaviourGetResponseBehaviorsRiskLevel = "medium"` - `const RiskScoringBehaviourGetResponseBehaviorsRiskLevelHigh RiskScoringBehaviourGetResponseBehaviorsRiskLevel = "high"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) behaviour, err := client.ZeroTrust.RiskScoring.Behaviours.Get(context.TODO(), zero_trust.RiskScoringBehaviourGetParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", behaviour.Behaviors) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "behaviors": { "foo": { "description": "description", "enabled": true, "name": "name", "risk_level": "low" } } } } ``` ## Update configuration for risk behaviors `client.ZeroTrust.RiskScoring.Behaviours.Update(ctx, params) (*RiskScoringBehaviourUpdateResponse, error)` **put** `/accounts/{account_id}/zt_risk_scoring/behaviors` Updates risk score behavior configurations, defining weights and thresholds for risk calculation. ### Parameters - `params RiskScoringBehaviourUpdateParams` - `AccountID param.Field[string]` Path param: Account ID. - `Behaviors param.Field[map[string, RiskScoringBehaviourUpdateParamsBehaviors]]` Body param - `Enabled bool` - `RiskLevel RiskScoringBehaviourUpdateParamsBehaviorsRiskLevel` - `const RiskScoringBehaviourUpdateParamsBehaviorsRiskLevelLow RiskScoringBehaviourUpdateParamsBehaviorsRiskLevel = "low"` - `const RiskScoringBehaviourUpdateParamsBehaviorsRiskLevelMedium RiskScoringBehaviourUpdateParamsBehaviorsRiskLevel = "medium"` - `const RiskScoringBehaviourUpdateParamsBehaviorsRiskLevelHigh RiskScoringBehaviourUpdateParamsBehaviorsRiskLevel = "high"` ### Returns - `type RiskScoringBehaviourUpdateResponse struct{…}` - `Behaviors map[string, RiskScoringBehaviourUpdateResponseBehavior]` - `Enabled bool` - `RiskLevel RiskScoringBehaviourUpdateResponseBehaviorsRiskLevel` - `const RiskScoringBehaviourUpdateResponseBehaviorsRiskLevelLow RiskScoringBehaviourUpdateResponseBehaviorsRiskLevel = "low"` - `const RiskScoringBehaviourUpdateResponseBehaviorsRiskLevelMedium RiskScoringBehaviourUpdateResponseBehaviorsRiskLevel = "medium"` - `const RiskScoringBehaviourUpdateResponseBehaviorsRiskLevelHigh RiskScoringBehaviourUpdateResponseBehaviorsRiskLevel = "high"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) behaviour, err := client.ZeroTrust.RiskScoring.Behaviours.Update(context.TODO(), zero_trust.RiskScoringBehaviourUpdateParams{ AccountID: cloudflare.F("account_id"), Behaviors: cloudflare.F(map[string]zero_trust.RiskScoringBehaviourUpdateParamsBehaviors{ "foo": zero_trust.RiskScoringBehaviourUpdateParamsBehaviors{ Enabled: cloudflare.F(true), RiskLevel: cloudflare.F(zero_trust.RiskScoringBehaviourUpdateParamsBehaviorsRiskLevelLow), }, }), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", behaviour.Behaviors) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "behaviors": { "foo": { "enabled": true, "risk_level": "low" } } } } ``` # Summary ## Get risk score info for all users in the account `client.ZeroTrust.RiskScoring.Summary.Get(ctx, query) (*RiskScoringSummaryGetResponse, error)` **get** `/accounts/{account_id}/zt_risk_scoring/summary` Gets an aggregate summary of risk scores across the account, including distribution and trends. ### Parameters - `query RiskScoringSummaryGetParams` - `AccountID param.Field[string]` ### Returns - `type RiskScoringSummaryGetResponse struct{…}` - `Users []RiskScoringSummaryGetResponseUser` - `Email string` - `EventCount int64` - `LastEvent Time` - `MaxRiskLevel RiskScoringSummaryGetResponseUsersMaxRiskLevel` - `const RiskScoringSummaryGetResponseUsersMaxRiskLevelLow RiskScoringSummaryGetResponseUsersMaxRiskLevel = "low"` - `const RiskScoringSummaryGetResponseUsersMaxRiskLevelMedium RiskScoringSummaryGetResponseUsersMaxRiskLevel = "medium"` - `const RiskScoringSummaryGetResponseUsersMaxRiskLevelHigh RiskScoringSummaryGetResponseUsersMaxRiskLevel = "high"` - `Name string` - `UserID string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) summary, err := client.ZeroTrust.RiskScoring.Summary.Get(context.TODO(), zero_trust.RiskScoringSummaryGetParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", summary.Users) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "users": [ { "email": "email", "event_count": 0, "last_event": "2019-12-27T18:11:19.117Z", "max_risk_level": "low", "name": "name", "user_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Integrations ## List all risk score integrations for the account. `client.ZeroTrust.RiskScoring.Integrations.List(ctx, query) (*SinglePage[RiskScoringIntegrationListResponse], error)` **get** `/accounts/{account_id}/zt_risk_scoring/integrations` Lists all configured Zero Trust risk score integrations for the account. ### Parameters - `query RiskScoringIntegrationListParams` - `AccountID param.Field[string]` ### Returns - `type RiskScoringIntegrationListResponse struct{…}` - `ID string` The id of the integration, a UUIDv4. - `AccountTag string` The Cloudflare account tag. - `Active bool` Whether this integration is enabled and should export changes in risk score. - `CreatedAt Time` When the integration was created in RFC3339 format. - `IntegrationType RiskScoringIntegrationListResponseIntegrationType` - `const RiskScoringIntegrationListResponseIntegrationTypeOkta RiskScoringIntegrationListResponseIntegrationType = "Okta"` - `ReferenceID string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `TenantURL string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `WellKnownURL string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.RiskScoring.Integrations.List(context.TODO(), zero_trust.RiskScoringIntegrationListParams{ AccountID: cloudflare.F("account_id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } ] } ``` ## Get risk score integration by id. `client.ZeroTrust.RiskScoring.Integrations.Get(ctx, integrationID, query) (*RiskScoringIntegrationGetResponse, error)` **get** `/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}` Get risk score integration by id. ### Parameters - `integrationID string` - `query RiskScoringIntegrationGetParams` - `AccountID param.Field[string]` ### Returns - `type RiskScoringIntegrationGetResponse struct{…}` - `ID string` The id of the integration, a UUIDv4. - `AccountTag string` The Cloudflare account tag. - `Active bool` Whether this integration is enabled and should export changes in risk score. - `CreatedAt Time` When the integration was created in RFC3339 format. - `IntegrationType RiskScoringIntegrationGetResponseIntegrationType` - `const RiskScoringIntegrationGetResponseIntegrationTypeOkta RiskScoringIntegrationGetResponseIntegrationType = "Okta"` - `ReferenceID string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `TenantURL string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `WellKnownURL string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) integration, err := client.ZeroTrust.RiskScoring.Integrations.Get( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.RiskScoringIntegrationGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", integration.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Create new risk score integration. `client.ZeroTrust.RiskScoring.Integrations.New(ctx, params) (*RiskScoringIntegrationNewResponse, error)` **post** `/accounts/{account_id}/zt_risk_scoring/integrations` Creates a new Zero Trust risk score integration, connecting external risk signals to Cloudflare's risk scoring system. ### Parameters - `params RiskScoringIntegrationNewParams` - `AccountID param.Field[string]` Path param - `IntegrationType param.Field[RiskScoringIntegrationNewParamsIntegrationType]` Body param - `const RiskScoringIntegrationNewParamsIntegrationTypeOkta RiskScoringIntegrationNewParamsIntegrationType = "Okta"` - `TenantURL param.Field[string]` Body param: The base url of the tenant, e.g. "https://tenant.okta.com". - `ReferenceID param.Field[string]` Body param: A reference id that can be supplied by the client. Currently this should be set to the Access-Okta IDP ID (a UUIDv4). https://developers.cloudflare.com/api/operations/access-identity-providers-get-an-access-identity-provider ### Returns - `type RiskScoringIntegrationNewResponse struct{…}` - `ID string` The id of the integration, a UUIDv4. - `AccountTag string` The Cloudflare account tag. - `Active bool` Whether this integration is enabled and should export changes in risk score. - `CreatedAt Time` When the integration was created in RFC3339 format. - `IntegrationType RiskScoringIntegrationNewResponseIntegrationType` - `const RiskScoringIntegrationNewResponseIntegrationTypeOkta RiskScoringIntegrationNewResponseIntegrationType = "Okta"` - `ReferenceID string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `TenantURL string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `WellKnownURL string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) integration, err := client.ZeroTrust.RiskScoring.Integrations.New(context.TODO(), zero_trust.RiskScoringIntegrationNewParams{ AccountID: cloudflare.F("account_id"), IntegrationType: cloudflare.F(zero_trust.RiskScoringIntegrationNewParamsIntegrationTypeOkta), TenantURL: cloudflare.F("https://example.com"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", integration.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Update a risk score integration. `client.ZeroTrust.RiskScoring.Integrations.Update(ctx, integrationID, params) (*RiskScoringIntegrationUpdateResponse, error)` **put** `/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}` Overwrite the reference_id, tenant_url, and active values with the ones provided. ### Parameters - `integrationID string` - `params RiskScoringIntegrationUpdateParams` - `AccountID param.Field[string]` Path param - `Active param.Field[bool]` Body param: Whether this integration is enabled. If disabled, no risk changes will be exported to the third-party. - `TenantURL param.Field[string]` Body param: The base url of the tenant, e.g. "https://tenant.okta.com". - `ReferenceID param.Field[string]` Body param: A reference id that can be supplied by the client. Currently this should be set to the Access-Okta IDP ID (a UUIDv4). https://developers.cloudflare.com/api/operations/access-identity-providers-get-an-access-identity-provider ### Returns - `type RiskScoringIntegrationUpdateResponse struct{…}` - `ID string` The id of the integration, a UUIDv4. - `AccountTag string` The Cloudflare account tag. - `Active bool` Whether this integration is enabled and should export changes in risk score. - `CreatedAt Time` When the integration was created in RFC3339 format. - `IntegrationType RiskScoringIntegrationUpdateResponseIntegrationType` - `const RiskScoringIntegrationUpdateResponseIntegrationTypeOkta RiskScoringIntegrationUpdateResponseIntegrationType = "Okta"` - `ReferenceID string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `TenantURL string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `WellKnownURL string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) integration, err := client.ZeroTrust.RiskScoring.Integrations.Update( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.RiskScoringIntegrationUpdateParams{ AccountID: cloudflare.F("account_id"), Active: cloudflare.F(true), TenantURL: cloudflare.F("https://example.com"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", integration.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Delete a risk score integration. `client.ZeroTrust.RiskScoring.Integrations.Delete(ctx, integrationID, body) (*RiskScoringIntegrationDeleteResponse, error)` **delete** `/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}` Removes a Zero Trust risk score integration, disconnecting the external risk signal source. ### Parameters - `integrationID string` - `body RiskScoringIntegrationDeleteParams` - `AccountID param.Field[string]` ### Returns - `type RiskScoringIntegrationDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) integration, err := client.ZeroTrust.RiskScoring.Integrations.Delete( context.TODO(), "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", zero_trust.RiskScoringIntegrationDeleteParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", integration) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` # References ## Get risk score integration by reference id. `client.ZeroTrust.RiskScoring.Integrations.References.Get(ctx, referenceID, query) (*RiskScoringIntegrationReferenceGetResponse, error)` **get** `/accounts/{account_id}/zt_risk_scoring/integrations/reference_id/{reference_id}` Retrieves a Zero Trust risk score integration using its external reference ID. ### Parameters - `referenceID string` - `query RiskScoringIntegrationReferenceGetParams` - `AccountID param.Field[string]` ### Returns - `type RiskScoringIntegrationReferenceGetResponse struct{…}` - `ID string` The id of the integration, a UUIDv4. - `AccountTag string` The Cloudflare account tag. - `Active bool` Whether this integration is enabled and should export changes in risk score. - `CreatedAt Time` When the integration was created in RFC3339 format. - `IntegrationType RiskScoringIntegrationReferenceGetResponseIntegrationType` - `const RiskScoringIntegrationReferenceGetResponseIntegrationTypeOkta RiskScoringIntegrationReferenceGetResponseIntegrationType = "Okta"` - `ReferenceID string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `TenantURL string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `WellKnownURL string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) reference, err := client.ZeroTrust.RiskScoring.Integrations.References.Get( context.TODO(), "reference_id", zero_trust.RiskScoringIntegrationReferenceGetParams{ AccountID: cloudflare.F("account_id"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", reference.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ```