Access
AccessAI Controls
AccessAI ControlsMcp
AccessAI ControlsMcpPortals
List MCP Portals
Create a new MCP Portal
Read details of an MCP Portal
Update a MCP Portal
Delete a MCP Portal
AccessAI ControlsMcpServers
List MCP Servers
Create a new MCP Server
Read the details of a MCP Server
Update a MCP Server
Delete a MCP Server
Sync MCP Server Capabilities
AccessGateway CA
List SSH Certificate Authorities (CA)
Add a new SSH Certificate Authority (CA)
Delete an SSH Certificate Authority (CA)
AccessIdP Federation Grants
List IdP federation grants
Create an IdP federation grant
Get an IdP federation grant
Delete an IdP federation grant
AccessSAML Certificates
List SAML certificate sets
Get SAML certificate set
Rotate SAML certificate
Download current certificate in PEM format
AccessInfrastructure
AccessInfrastructureTargets
List all targets
Get target
Create new target
Update target
Delete target
Create new targets
Delete targets (Deprecated)
Delete targets
AccessApplications
List Access applications
Get an Access application
Add an Access application
Update an Access application
Delete an Access application
Revoke application tokens
ModelsExpand Collapse
type Application interface{…}
ApplicationSelfHostedApplication
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
CORSHeaders ApplicationSelfHostedApplicationCORSHeadersOptional
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application.
Preemptively sets the Access session cookie on every hostname in a multi-hostname self-hosted application during the initial redirect chain, rather than setting it lazily on first visit. Defaults to true. Set to false to disable the eager redirect cookie behavior.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig ApplicationSelfHostedApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication ApplicationSelfHostedApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
ApplicationSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken
ApplicationSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2AccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set active to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
ApplicationSaaSApplication
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
SaaSApp ApplicationSaaSApplicationSaaSAppOptional
ApplicationSaaSApplicationSaaSAppAccessSAMLSaaSApp2
AuthType ApplicationSaaSApplicationSaaSAppAccessSAMLSaaSApp2AuthTypeOptionalOptional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is “saml”
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is “saml”
The service provider’s endpoint that is responsible for receiving and parsing a SAML assertion.
CustomAttributes []ApplicationSaaSApplicationSaaSAppAccessSAMLSaaSApp2CustomAttributeOptional
NameFormat ApplicationSaaSApplicationSaaSAppAccessSAMLSaaSApp2CustomAttributesNameFormatOptionalA globally unique name for an identity or service provider.
A globally unique name for an identity or service provider.
A JSONata expression that transforms an application’s user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSApp2
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
AuthType ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSApp2AuthTypeOptionalIdentifier of the authentication protocol used for the saas app. Required for OIDC.
Identifier of the authentication protocol used for the saas app. Required for OIDC.
CustomClaims []ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSApp2CustomClaimOptional
Scope ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSApp2CustomClaimsScopeOptionalThe scope of the claim.
The scope of the claim.
GrantTypes []ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSApp2GrantTypeOptionalThe OIDC flows supported by this application
The OIDC flows supported by this application
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint.
HybridAndImplicitOptions ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSApp2HybridAndImplicitOptionsOptional
The permitted URL’s for Cloudflare to return Authorization codes and Access/ID tokens
Scopes []ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSApp2ScopeOptionalDefine the user information shared with access, “offline_access” scope will be automatically enabled if refresh tokens are enabled
Define the user information shared with access, “offline_access” scope will be automatically enabled if refresh tokens are enabled
SCIMConfig ApplicationSaaSApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication ApplicationSaaSApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
ApplicationSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken
ApplicationSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2AccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set active to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
ApplicationBrowserSSHApplication
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
CORSHeaders ApplicationBrowserSSHApplicationCORSHeadersOptional
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application.
Preemptively sets the Access session cookie on every hostname in a multi-hostname self-hosted application during the initial redirect chain, rather than setting it lazily on first visit. Defaults to true. Set to false to disable the eager redirect cookie behavior.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig ApplicationBrowserSSHApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication ApplicationBrowserSSHApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
ApplicationBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken
ApplicationBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2AccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set active to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
ApplicationBrowserVNCApplication
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
CORSHeaders ApplicationBrowserVNCApplicationCORSHeadersOptional
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application.
Preemptively sets the Access session cookie on every hostname in a multi-hostname self-hosted application during the initial redirect chain, rather than setting it lazily on first visit. Defaults to true. Set to false to disable the eager redirect cookie behavior.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig ApplicationBrowserVNCApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication ApplicationBrowserVNCApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
ApplicationBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken
ApplicationBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2AccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set active to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
ApplicationAppLauncherApplication
Type ApplicationAppLauncherApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
SCIMConfig ApplicationAppLauncherApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication ApplicationAppLauncherApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationAppLauncherApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
ApplicationAppLauncherApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken
ApplicationAppLauncherApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationAppLauncherApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2AccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set active to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
ApplicationDeviceEnrollmentPermissionsApplication
Type ApplicationDeviceEnrollmentPermissionsApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
SCIMConfig ApplicationDeviceEnrollmentPermissionsApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication ApplicationDeviceEnrollmentPermissionsApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationDeviceEnrollmentPermissionsApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
ApplicationDeviceEnrollmentPermissionsApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken
ApplicationDeviceEnrollmentPermissionsApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationDeviceEnrollmentPermissionsApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2AccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set active to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
ApplicationBrowserIsolationPermissionsApplication
Type ApplicationBrowserIsolationPermissionsApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
SCIMConfig ApplicationBrowserIsolationPermissionsApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication ApplicationBrowserIsolationPermissionsApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationBrowserIsolationPermissionsApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
ApplicationBrowserIsolationPermissionsApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken
ApplicationBrowserIsolationPermissionsApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationBrowserIsolationPermissionsApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2AccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set active to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
ApplicationBookmarkApplication
SCIMConfig ApplicationBookmarkApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication ApplicationBookmarkApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationBookmarkApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
ApplicationBookmarkApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken
ApplicationBookmarkApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
ApplicationBookmarkApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication2AccessSCIMConfigAuthenticationOAuthBearerToken2
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set active to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
type ApplicationPolicy struct{…}
Requires the user to request access from an administrator at the start of each session.
ConnectionRules ApplicationPolicyConnectionRulesOptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP ApplicationPolicyConnectionRulesRDPOptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig ApplicationPolicyMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []ApplicationPolicyMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type OIDCSaaSApp struct{…}
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
AuthType OIDCSaaSAppAuthTypeOptionalIdentifier of the authentication protocol used for the saas app. Required for OIDC.
Identifier of the authentication protocol used for the saas app. Required for OIDC.
CustomClaims []OIDCSaaSAppCustomClaimOptional
GrantTypes []OIDCSaaSAppGrantTypeOptionalThe OIDC flows supported by this application
The OIDC flows supported by this application
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
The permitted URL’s for Cloudflare to return Authorization codes and Access/ID tokens
type SAMLSaaSApp struct{…}
AuthType SAMLSaaSAppAuthTypeOptionalOptional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is “saml”
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is “saml”
The service provider’s endpoint that is responsible for receiving and parsing a SAML assertion.
CustomAttributes []SAMLSaaSAppCustomAttributeOptional
NameFormat SAMLSaaSAppCustomAttributesNameFormatOptionalA globally unique name for an identity or service provider.
A globally unique name for an identity or service provider.
The URL that the user will be redirected to after a successful login for IDP initiated logins.
A JSONata expression that transforms an application’s user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
A [JSONata] (https://jsonata.org/) expression that transforms an application’s user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type SCIMConfigMapping struct{…}Transformations and filters applied to resources before they are provisioned in the remote SCIM service.
Transformations and filters applied to resources before they are provisioned in the remote SCIM service.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
AccessApplicationsCAs
List short-lived certificate CAs
Get a short-lived certificate CA
Create a short-lived certificate CA
Delete a short-lived certificate CA
AccessApplicationsUser Policy Checks
Test Access policies
AccessApplicationsPolicies
List Access application policies
Get an Access application policy
Create an Access application policy
Update an Access application policy
Delete an Access application policy
ModelsExpand Collapse
type AccessRule interface{…}Matches an Access group.
Matches an Access group.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessApplicationsPolicy Tests
Get the current status of a given Access policy test
Start Access policy test
AccessApplicationsPolicy TestsUsers
Get an Access policy test users page
AccessApplicationsSettings
Update Access application settings
Update Access application settings
AccessCertificates
List mTLS certificates
Get an mTLS certificate
Add an mTLS certificate
Update an mTLS certificate
Delete an mTLS certificate
AccessCertificatesSettings
List all mTLS hostname settings
Update an mTLS certificate's hostname settings
ModelsExpand Collapse
type CertificateSettings struct{…}
Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.
AccessGroups
List Access groups
Get an Access group
Create an Access group
Update an Access group
Delete an Access group
AccessService Tokens
List service tokens
Get a service token
Create a service token
Update a service token
Delete a service token
Refresh a service token
Rotate a service token
ModelsExpand Collapse
type ServiceToken struct{…}
The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.
AccessBookmarks
List Bookmark applications
Get a Bookmark application
Create a Bookmark application
Update a Bookmark application
Delete a Bookmark application
AccessKeys
Get the Access key configuration
Update the Access key configuration
Rotate Access keys
AccessLogs
AccessLogsAccess Requests
Get Access authentication logs
AccessLogsSCIMUpdates
List Access SCIM update logs
AccessUsers
Get users
Get a user
Create a user
Update a user
Delete a user
AccessUsersActive Sessions
Get active sessions
Get single active session
AccessUsersLast Seen Identity
Get last seen identity
AccessUsersFailed Logins
Get failed logins
AccessCustom Pages
List custom pages
Get a custom page
Create a custom page
Update a custom page
Delete a custom page
AccessTags
Create a tag
Update a tag
Delete a tag
AccessPolicies
List Access reusable policies
Get an Access reusable policy
Create an Access reusable policy
Update an Access reusable policy
Delete an Access reusable policy
ModelsExpand Collapse
type Policy struct{…}
ApprovalGroups []PolicyApprovalGroupOptionalAdministrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.