# Access
# AI Controls
# Mcp
# Portals
## List MCP Portals
`client.ZeroTrust.Access.AIControls.Mcp.Portals.List(ctx, params) (*V4PagePaginationArray[AccessAIControlMcpPortalListResponse], error)`
**get** `/accounts/{account_id}/access/ai-controls/mcp/portals`
Lists all MCP portals configured for the account.
### Parameters
- `params AccessAIControlMcpPortalListParams`
- `AccountID param.Field[string]`
Path param
- `Page param.Field[int64]`
Query param
- `PerPage param.Field[int64]`
Query param
- `Search param.Field[string]`
Query param: Search by id, name, hostname
### Returns
- `type AccessAIControlMcpPortalListResponse struct{…}`
- `ID string`
portal id
- `Hostname string`
- `Name string`
- `Servers []AccessAIControlMcpPortalListResponseServer`
- `ID string`
server id
- `AuthType AccessAIControlMcpPortalListResponseServersAuthType`
- `const AccessAIControlMcpPortalListResponseServersAuthTypeOAuth AccessAIControlMcpPortalListResponseServersAuthType = "oauth"`
- `const AccessAIControlMcpPortalListResponseServersAuthTypeBearer AccessAIControlMcpPortalListResponseServersAuthType = "bearer"`
- `const AccessAIControlMcpPortalListResponseServersAuthTypeUnauthenticated AccessAIControlMcpPortalListResponseServersAuthType = "unauthenticated"`
- `Hostname string`
- `Name string`
- `Prompts []map[string, unknown]`
- `Tools []map[string, unknown]`
- `UpdatedPrompts []map[string, AccessAIControlMcpPortalListResponseServersUpdatedPromptsUnion]`
- `UnionFloat`
- `UnionString`
- `UpdatedTools []map[string, AccessAIControlMcpPortalListResponseServersUpdatedToolsUnion]`
- `UnionFloat`
- `UnionString`
- `CreatedAt Time`
- `CreatedBy string`
- `DefaultDisabled bool`
- `Description string`
- `Error string`
- `LastSuccessfulSync Time`
- `LastSynced Time`
- `ModifiedAt Time`
- `ModifiedBy string`
- `OnBehalf bool`
- `Status string`
- `AllowCodeMode bool`
Allow remote code execution in Dynamic Workers (beta)
- `CreatedAt Time`
- `CreatedBy string`
- `Description string`
- `ModifiedAt Time`
- `ModifiedBy string`
- `SecureWebGateway bool`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.AIControls.Mcp.Portals.List(context.TODO(), zero_trust.AccessAIControlMcpPortalListParams{
AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"result": [
{
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"servers": [
{
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"updated_prompts": [
{
"foo": 0
}
],
"updated_tools": [
{
"foo": 0
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"default_disabled": true,
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"on_behalf": true,
"status": "status"
}
],
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
}
],
"success": true
}
```
## Create a new MCP Portal
`client.ZeroTrust.Access.AIControls.Mcp.Portals.New(ctx, params) (*AccessAIControlMcpPortalNewResponse, error)`
**post** `/accounts/{account_id}/access/ai-controls/mcp/portals`
Creates a new MCP portal for managing AI tool access through Cloudflare Access.
### Parameters
- `params AccessAIControlMcpPortalNewParams`
- `AccountID param.Field[string]`
Path param
- `ID param.Field[string]`
Body param: portal id
- `Hostname param.Field[string]`
Body param
- `Name param.Field[string]`
Body param
- `AllowCodeMode param.Field[bool]`
Body param: Allow remote code execution in Dynamic Workers (beta)
- `Description param.Field[string]`
Body param
- `SecureWebGateway param.Field[bool]`
Body param: Route outbound MCP traffic through Zero Trust Secure Web Gateway
- `Servers param.Field[[]AccessAIControlMcpPortalNewParamsServer]`
Body param
- `ServerID string`
server id
- `DefaultDisabled bool`
- `OnBehalf bool`
- `UpdatedPrompts []AccessAIControlMcpPortalNewParamsServersUpdatedPrompt`
- `Name string`
- `Alias string`
- `Description string`
- `Enabled bool`
- `UpdatedTools []AccessAIControlMcpPortalNewParamsServersUpdatedTool`
- `Name string`
- `Alias string`
- `Description string`
- `Enabled bool`
### Returns
- `type AccessAIControlMcpPortalNewResponse struct{…}`
- `ID string`
portal id
- `Hostname string`
- `Name string`
- `AllowCodeMode bool`
Allow remote code execution in Dynamic Workers (beta)
- `CreatedAt Time`
- `CreatedBy string`
- `Description string`
- `ModifiedAt Time`
- `ModifiedBy string`
- `SecureWebGateway bool`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
portal, err := client.ZeroTrust.Access.AIControls.Mcp.Portals.New(context.TODO(), zero_trust.AccessAIControlMcpPortalNewParams{
AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"),
ID: cloudflare.F("my-mcp-portal"),
Hostname: cloudflare.F("exmaple.com"),
Name: cloudflare.F("My MCP Portal"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", portal.ID)
}
```
#### Response
```json
{
"result": {
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
},
"success": true
}
```
## Read details of an MCP Portal
`client.ZeroTrust.Access.AIControls.Mcp.Portals.Read(ctx, id, query) (*AccessAIControlMcpPortalReadResponse, error)`
**get** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}`
Read details of an MCP Portal
### Parameters
- `id string`
portal id
- `query AccessAIControlMcpPortalReadParams`
- `AccountID param.Field[string]`
### Returns
- `type AccessAIControlMcpPortalReadResponse struct{…}`
- `ID string`
portal id
- `Hostname string`
- `Name string`
- `Servers []AccessAIControlMcpPortalReadResponseServer`
- `ID string`
server id
- `AuthType AccessAIControlMcpPortalReadResponseServersAuthType`
- `const AccessAIControlMcpPortalReadResponseServersAuthTypeOAuth AccessAIControlMcpPortalReadResponseServersAuthType = "oauth"`
- `const AccessAIControlMcpPortalReadResponseServersAuthTypeBearer AccessAIControlMcpPortalReadResponseServersAuthType = "bearer"`
- `const AccessAIControlMcpPortalReadResponseServersAuthTypeUnauthenticated AccessAIControlMcpPortalReadResponseServersAuthType = "unauthenticated"`
- `Hostname string`
- `Name string`
- `Prompts []map[string, unknown]`
- `Tools []map[string, unknown]`
- `UpdatedPrompts []map[string, AccessAIControlMcpPortalReadResponseServersUpdatedPromptsUnion]`
- `UnionFloat`
- `UnionString`
- `UpdatedTools []map[string, AccessAIControlMcpPortalReadResponseServersUpdatedToolsUnion]`
- `UnionFloat`
- `UnionString`
- `CreatedAt Time`
- `CreatedBy string`
- `DefaultDisabled bool`
- `Description string`
- `Error string`
- `LastSuccessfulSync Time`
- `LastSynced Time`
- `ModifiedAt Time`
- `ModifiedBy string`
- `OnBehalf bool`
- `Status string`
- `AllowCodeMode bool`
Allow remote code execution in Dynamic Workers (beta)
- `CreatedAt Time`
- `CreatedBy string`
- `Description string`
- `ModifiedAt Time`
- `ModifiedBy string`
- `SecureWebGateway bool`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
response, err := client.ZeroTrust.Access.AIControls.Mcp.Portals.Read(
context.TODO(),
"my-mcp-portal",
zero_trust.AccessAIControlMcpPortalReadParams{
AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", response.ID)
}
```
#### Response
```json
{
"result": {
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"servers": [
{
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"updated_prompts": [
{
"foo": 0
}
],
"updated_tools": [
{
"foo": 0
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"default_disabled": true,
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"on_behalf": true,
"status": "status"
}
],
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
},
"success": true
}
```
## Update a MCP Portal
`client.ZeroTrust.Access.AIControls.Mcp.Portals.Update(ctx, id, params) (*AccessAIControlMcpPortalUpdateResponse, error)`
**put** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}`
Updates an MCP portal configuration.
### Parameters
- `id string`
portal id
- `params AccessAIControlMcpPortalUpdateParams`
- `AccountID param.Field[string]`
Path param
- `AllowCodeMode param.Field[bool]`
Body param: Allow remote code execution in Dynamic Workers (beta)
- `Description param.Field[string]`
Body param
- `Hostname param.Field[string]`
Body param
- `Name param.Field[string]`
Body param
- `SecureWebGateway param.Field[bool]`
Body param: Route outbound MCP traffic through Zero Trust Secure Web Gateway
- `Servers param.Field[[]AccessAIControlMcpPortalUpdateParamsServer]`
Body param
- `ServerID string`
server id
- `DefaultDisabled bool`
- `OnBehalf bool`
- `UpdatedPrompts []AccessAIControlMcpPortalUpdateParamsServersUpdatedPrompt`
- `Name string`
- `Alias string`
- `Description string`
- `Enabled bool`
- `UpdatedTools []AccessAIControlMcpPortalUpdateParamsServersUpdatedTool`
- `Name string`
- `Alias string`
- `Description string`
- `Enabled bool`
### Returns
- `type AccessAIControlMcpPortalUpdateResponse struct{…}`
- `ID string`
portal id
- `Hostname string`
- `Name string`
- `AllowCodeMode bool`
Allow remote code execution in Dynamic Workers (beta)
- `CreatedAt Time`
- `CreatedBy string`
- `Description string`
- `ModifiedAt Time`
- `ModifiedBy string`
- `SecureWebGateway bool`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
portal, err := client.ZeroTrust.Access.AIControls.Mcp.Portals.Update(
context.TODO(),
"my-mcp-portal",
zero_trust.AccessAIControlMcpPortalUpdateParams{
AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", portal.ID)
}
```
#### Response
```json
{
"result": {
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
},
"success": true
}
```
## Delete a MCP Portal
`client.ZeroTrust.Access.AIControls.Mcp.Portals.Delete(ctx, id, body) (*AccessAIControlMcpPortalDeleteResponse, error)`
**delete** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}`
Deletes an MCP portal from the account.
### Parameters
- `id string`
portal id
- `body AccessAIControlMcpPortalDeleteParams`
- `AccountID param.Field[string]`
### Returns
- `type AccessAIControlMcpPortalDeleteResponse struct{…}`
- `ID string`
portal id
- `Hostname string`
- `Name string`
- `AllowCodeMode bool`
Allow remote code execution in Dynamic Workers (beta)
- `CreatedAt Time`
- `CreatedBy string`
- `Description string`
- `ModifiedAt Time`
- `ModifiedBy string`
- `SecureWebGateway bool`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
portal, err := client.ZeroTrust.Access.AIControls.Mcp.Portals.Delete(
context.TODO(),
"my-mcp-portal",
zero_trust.AccessAIControlMcpPortalDeleteParams{
AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", portal.ID)
}
```
#### Response
```json
{
"result": {
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
},
"success": true
}
```
# Servers
## List MCP Servers
`client.ZeroTrust.Access.AIControls.Mcp.Servers.List(ctx, params) (*V4PagePaginationArray[AccessAIControlMcpServerListResponse], error)`
**get** `/accounts/{account_id}/access/ai-controls/mcp/servers`
Lists all MCP portals configured for the account.
### Parameters
- `params AccessAIControlMcpServerListParams`
- `AccountID param.Field[string]`
Path param
- `Page param.Field[int64]`
Query param
- `PerPage param.Field[int64]`
Query param
- `Search param.Field[string]`
Query param: Search by id, name
### Returns
- `type AccessAIControlMcpServerListResponse struct{…}`
- `ID string`
server id
- `AuthType AccessAIControlMcpServerListResponseAuthType`
- `const AccessAIControlMcpServerListResponseAuthTypeOAuth AccessAIControlMcpServerListResponseAuthType = "oauth"`
- `const AccessAIControlMcpServerListResponseAuthTypeBearer AccessAIControlMcpServerListResponseAuthType = "bearer"`
- `const AccessAIControlMcpServerListResponseAuthTypeUnauthenticated AccessAIControlMcpServerListResponseAuthType = "unauthenticated"`
- `Hostname string`
- `Name string`
- `Prompts []map[string, unknown]`
- `Tools []map[string, unknown]`
- `CreatedAt Time`
- `CreatedBy string`
- `Description string`
- `Error string`
- `LastSuccessfulSync Time`
- `LastSynced Time`
- `ModifiedAt Time`
- `ModifiedBy string`
- `Status string`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.AIControls.Mcp.Servers.List(context.TODO(), zero_trust.AccessAIControlMcpServerListParams{
AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"result": [
{
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
}
],
"success": true
}
```
## Create a new MCP Server
`client.ZeroTrust.Access.AIControls.Mcp.Servers.New(ctx, params) (*AccessAIControlMcpServerNewResponse, error)`
**post** `/accounts/{account_id}/access/ai-controls/mcp/servers`
Creates a new MCP portal for managing AI tool access through Cloudflare Access.
### Parameters
- `params AccessAIControlMcpServerNewParams`
- `AccountID param.Field[string]`
Path param
- `ID param.Field[string]`
Body param: server id
- `AuthType param.Field[AccessAIControlMcpServerNewParamsAuthType]`
Body param
- `const AccessAIControlMcpServerNewParamsAuthTypeOAuth AccessAIControlMcpServerNewParamsAuthType = "oauth"`
- `const AccessAIControlMcpServerNewParamsAuthTypeBearer AccessAIControlMcpServerNewParamsAuthType = "bearer"`
- `const AccessAIControlMcpServerNewParamsAuthTypeUnauthenticated AccessAIControlMcpServerNewParamsAuthType = "unauthenticated"`
- `Hostname param.Field[string]`
Body param
- `Name param.Field[string]`
Body param
- `AuthCredentials param.Field[string]`
Body param
- `Description param.Field[string]`
Body param
### Returns
- `type AccessAIControlMcpServerNewResponse struct{…}`
- `ID string`
server id
- `AuthType AccessAIControlMcpServerNewResponseAuthType`
- `const AccessAIControlMcpServerNewResponseAuthTypeOAuth AccessAIControlMcpServerNewResponseAuthType = "oauth"`
- `const AccessAIControlMcpServerNewResponseAuthTypeBearer AccessAIControlMcpServerNewResponseAuthType = "bearer"`
- `const AccessAIControlMcpServerNewResponseAuthTypeUnauthenticated AccessAIControlMcpServerNewResponseAuthType = "unauthenticated"`
- `Hostname string`
- `Name string`
- `Prompts []map[string, unknown]`
- `Tools []map[string, unknown]`
- `CreatedAt Time`
- `CreatedBy string`
- `Description string`
- `Error string`
- `LastSuccessfulSync Time`
- `LastSynced Time`
- `ModifiedAt Time`
- `ModifiedBy string`
- `Status string`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
server, err := client.ZeroTrust.Access.AIControls.Mcp.Servers.New(context.TODO(), zero_trust.AccessAIControlMcpServerNewParams{
AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"),
ID: cloudflare.F("my-mcp-server"),
AuthType: cloudflare.F(zero_trust.AccessAIControlMcpServerNewParamsAuthTypeUnauthenticated),
Hostname: cloudflare.F("https://example.com/mcp"),
Name: cloudflare.F("My MCP Server"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", server.ID)
}
```
#### Response
```json
{
"result": {
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
},
"success": true
}
```
## Read the details of a MCP Server
`client.ZeroTrust.Access.AIControls.Mcp.Servers.Read(ctx, id, query) (*AccessAIControlMcpServerReadResponse, error)`
**get** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}`
Retrieves gateway configuration for MCP portals.
### Parameters
- `id string`
server id
- `query AccessAIControlMcpServerReadParams`
- `AccountID param.Field[string]`
### Returns
- `type AccessAIControlMcpServerReadResponse struct{…}`
- `ID string`
server id
- `AuthType AccessAIControlMcpServerReadResponseAuthType`
- `const AccessAIControlMcpServerReadResponseAuthTypeOAuth AccessAIControlMcpServerReadResponseAuthType = "oauth"`
- `const AccessAIControlMcpServerReadResponseAuthTypeBearer AccessAIControlMcpServerReadResponseAuthType = "bearer"`
- `const AccessAIControlMcpServerReadResponseAuthTypeUnauthenticated AccessAIControlMcpServerReadResponseAuthType = "unauthenticated"`
- `Hostname string`
- `Name string`
- `Prompts []map[string, unknown]`
- `Tools []map[string, unknown]`
- `CreatedAt Time`
- `CreatedBy string`
- `Description string`
- `Error string`
- `LastSuccessfulSync Time`
- `LastSynced Time`
- `ModifiedAt Time`
- `ModifiedBy string`
- `Status string`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
response, err := client.ZeroTrust.Access.AIControls.Mcp.Servers.Read(
context.TODO(),
"my-mcp-server",
zero_trust.AccessAIControlMcpServerReadParams{
AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", response.ID)
}
```
#### Response
```json
{
"result": {
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
},
"success": true
}
```
## Update a MCP Server
`client.ZeroTrust.Access.AIControls.Mcp.Servers.Update(ctx, id, params) (*AccessAIControlMcpServerUpdateResponse, error)`
**put** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}`
Updates an MCP portal configuration.
### Parameters
- `id string`
server id
- `params AccessAIControlMcpServerUpdateParams`
- `AccountID param.Field[string]`
Path param
- `AuthCredentials param.Field[string]`
Body param
- `Description param.Field[string]`
Body param
- `Name param.Field[string]`
Body param
### Returns
- `type AccessAIControlMcpServerUpdateResponse struct{…}`
- `ID string`
server id
- `AuthType AccessAIControlMcpServerUpdateResponseAuthType`
- `const AccessAIControlMcpServerUpdateResponseAuthTypeOAuth AccessAIControlMcpServerUpdateResponseAuthType = "oauth"`
- `const AccessAIControlMcpServerUpdateResponseAuthTypeBearer AccessAIControlMcpServerUpdateResponseAuthType = "bearer"`
- `const AccessAIControlMcpServerUpdateResponseAuthTypeUnauthenticated AccessAIControlMcpServerUpdateResponseAuthType = "unauthenticated"`
- `Hostname string`
- `Name string`
- `Prompts []map[string, unknown]`
- `Tools []map[string, unknown]`
- `CreatedAt Time`
- `CreatedBy string`
- `Description string`
- `Error string`
- `LastSuccessfulSync Time`
- `LastSynced Time`
- `ModifiedAt Time`
- `ModifiedBy string`
- `Status string`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
server, err := client.ZeroTrust.Access.AIControls.Mcp.Servers.Update(
context.TODO(),
"my-mcp-server",
zero_trust.AccessAIControlMcpServerUpdateParams{
AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", server.ID)
}
```
#### Response
```json
{
"result": {
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
},
"success": true
}
```
## Delete a MCP Server
`client.ZeroTrust.Access.AIControls.Mcp.Servers.Delete(ctx, id, body) (*AccessAIControlMcpServerDeleteResponse, error)`
**delete** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}`
Deletes an MCP portal from the account.
### Parameters
- `id string`
server id
- `body AccessAIControlMcpServerDeleteParams`
- `AccountID param.Field[string]`
### Returns
- `type AccessAIControlMcpServerDeleteResponse struct{…}`
- `ID string`
server id
- `AuthType AccessAIControlMcpServerDeleteResponseAuthType`
- `const AccessAIControlMcpServerDeleteResponseAuthTypeOAuth AccessAIControlMcpServerDeleteResponseAuthType = "oauth"`
- `const AccessAIControlMcpServerDeleteResponseAuthTypeBearer AccessAIControlMcpServerDeleteResponseAuthType = "bearer"`
- `const AccessAIControlMcpServerDeleteResponseAuthTypeUnauthenticated AccessAIControlMcpServerDeleteResponseAuthType = "unauthenticated"`
- `Hostname string`
- `Name string`
- `Prompts []map[string, unknown]`
- `Tools []map[string, unknown]`
- `CreatedAt Time`
- `CreatedBy string`
- `Description string`
- `Error string`
- `LastSuccessfulSync Time`
- `LastSynced Time`
- `ModifiedAt Time`
- `ModifiedBy string`
- `Status string`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
server, err := client.ZeroTrust.Access.AIControls.Mcp.Servers.Delete(
context.TODO(),
"my-mcp-server",
zero_trust.AccessAIControlMcpServerDeleteParams{
AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", server.ID)
}
```
#### Response
```json
{
"result": {
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
},
"success": true
}
```
## Sync MCP Server Capabilities
`client.ZeroTrust.Access.AIControls.Mcp.Servers.Sync(ctx, id, body) (*AccessAIControlMcpServerSyncResponse, error)`
**post** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}/sync`
Syncs an MCP server's tool catalog with the portal.
### Parameters
- `id string`
portal id
- `body AccessAIControlMcpServerSyncParams`
- `AccountID param.Field[string]`
### Returns
- `type AccessAIControlMcpServerSyncResponse interface{…}`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
response, err := client.ZeroTrust.Access.AIControls.Mcp.Servers.Sync(
context.TODO(),
"my-mcp-portal",
zero_trust.AccessAIControlMcpServerSyncParams{
AccountID: cloudflare.F("a86a8f5c339544d7bdc89926de14fb8c"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", response)
}
```
#### Response
```json
{
"result": {},
"success": true
}
```
# Gateway CA
## List SSH Certificate Authorities (CA)
`client.ZeroTrust.Access.GatewayCA.List(ctx, query) (*SinglePage[AccessGatewayCAListResponse], error)`
**get** `/accounts/{account_id}/access/gateway_ca`
Lists SSH Certificate Authorities (CA).
### Parameters
- `query AccessGatewayCAListParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessGatewayCAListResponse struct{…}`
- `ID string`
The key ID of this certificate.
- `PublicKey string`
The public key of this certificate.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.GatewayCA.List(context.TODO(), zero_trust.AccessGatewayCAListParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "id",
"public_key": "public_key"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Add a new SSH Certificate Authority (CA)
`client.ZeroTrust.Access.GatewayCA.New(ctx, body) (*AccessGatewayCANewResponse, error)`
**post** `/accounts/{account_id}/access/gateway_ca`
Adds a new SSH Certificate Authority (CA).
### Parameters
- `body AccessGatewayCANewParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessGatewayCANewResponse struct{…}`
- `ID string`
The key ID of this certificate.
- `PublicKey string`
The public key of this certificate.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
gatewayCA, err := client.ZeroTrust.Access.GatewayCA.New(context.TODO(), zero_trust.AccessGatewayCANewParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", gatewayCA.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"public_key": "public_key"
}
}
```
## Delete an SSH Certificate Authority (CA)
`client.ZeroTrust.Access.GatewayCA.Delete(ctx, certificateID, body) (*AccessGatewayCADeleteResponse, error)`
**delete** `/accounts/{account_id}/access/gateway_ca/{certificate_id}`
Deletes an SSH Certificate Authority.
### Parameters
- `certificateID string`
UUID.
- `body AccessGatewayCADeleteParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessGatewayCADeleteResponse struct{…}`
- `ID string`
UUID.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
gatewayCA, err := client.ZeroTrust.Access.GatewayCA.Delete(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessGatewayCADeleteParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", gatewayCA.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
# Infrastructure
# Targets
## List all targets
`client.ZeroTrust.Access.Infrastructure.Targets.List(ctx, params) (*V4PagePaginationArray[AccessInfrastructureTargetListResponse], error)`
**get** `/accounts/{account_id}/infrastructure/targets`
Lists and sorts an account’s targets. Filters are optional and are ANDed
together.
### Parameters
- `params AccessInfrastructureTargetListParams`
- `AccountID param.Field[string]`
Path param: Account identifier
- `CreatedAfter param.Field[Time]`
Query param: Date and time at which the target was created after (inclusive)
- `CreatedBefore param.Field[Time]`
Query param: Date and time at which the target was created before (inclusive)
- `Direction param.Field[AccessInfrastructureTargetListParamsDirection]`
Query param: The sorting direction.
- `const AccessInfrastructureTargetListParamsDirectionAsc AccessInfrastructureTargetListParamsDirection = "asc"`
- `const AccessInfrastructureTargetListParamsDirectionDesc AccessInfrastructureTargetListParamsDirection = "desc"`
- `Hostname param.Field[string]`
Query param: Hostname of a target
- `HostnameContains param.Field[string]`
Query param: Partial match to the hostname of a target
- `IPLike param.Field[string]`
Query param: Filters for targets whose IP addresses look like the specified string.
Supports `*` as a wildcard character
- `IPV4 param.Field[string]`
Query param: IPv4 address of the target
- `IPV6 param.Field[string]`
Query param: IPv6 address of the target
- `IPs param.Field[[]string]`
Query param: Filters for targets that have any of the following IP addresses. Specify
`ips` multiple times in query parameter to build list of candidates.
- `IPV4End param.Field[string]`
Query param: Defines an IPv4 filter range's ending value (inclusive). Requires
`ipv4_start` to be specified as well.
- `IPV4Start param.Field[string]`
Query param: Defines an IPv4 filter range's starting value (inclusive). Requires
`ipv4_end` to be specified as well.
- `IPV6End param.Field[string]`
Query param: Defines an IPv6 filter range's ending value (inclusive). Requires
`ipv6_start` to be specified as well.
- `IPV6Start param.Field[string]`
Query param: Defines an IPv6 filter range's starting value (inclusive). Requires
`ipv6_end` to be specified as well.
- `ModifiedAfter param.Field[Time]`
Query param: Date and time at which the target was modified after (inclusive)
- `ModifiedBefore param.Field[Time]`
Query param: Date and time at which the target was modified before (inclusive)
- `Order param.Field[AccessInfrastructureTargetListParamsOrder]`
Query param: The field to sort by.
- `const AccessInfrastructureTargetListParamsOrderHostname AccessInfrastructureTargetListParamsOrder = "hostname"`
- `const AccessInfrastructureTargetListParamsOrderCreatedAt AccessInfrastructureTargetListParamsOrder = "created_at"`
- `Page param.Field[int64]`
Query param: Current page in the response
- `PerPage param.Field[int64]`
Query param: Max amount of entries returned per page
- `TargetIDs param.Field[[]string]`
Query param: Filters for targets that have any of the following UUIDs. Specify
`target_ids` multiple times in query parameter to build list of
candidates.
- `VirtualNetworkID param.Field[string]`
Query param: Private virtual network identifier of the target
### Returns
- `type AccessInfrastructureTargetListResponse struct{…}`
- `ID string`
Target identifier
- `CreatedAt Time`
Date and time at which the target was created
- `Hostname string`
A non-unique field that refers to a target
- `IP AccessInfrastructureTargetListResponseIP`
The IPv4/IPv6 address that identifies where to reach a target
- `IPV4 AccessInfrastructureTargetListResponseIPIPV4`
The target's IPv4 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `IPV6 AccessInfrastructureTargetListResponseIPIPV6`
The target's IPv6 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ModifiedAt Time`
Date and time at which the target was modified
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Infrastructure.Targets.List(context.TODO(), zero_trust.AccessInfrastructureTargetListParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get target
`client.ZeroTrust.Access.Infrastructure.Targets.Get(ctx, targetID, query) (*AccessInfrastructureTargetGetResponse, error)`
**get** `/accounts/{account_id}/infrastructure/targets/{target_id}`
Get target
### Parameters
- `targetID string`
Target identifier
- `query AccessInfrastructureTargetGetParams`
- `AccountID param.Field[string]`
Account identifier
### Returns
- `type AccessInfrastructureTargetGetResponse struct{…}`
- `ID string`
Target identifier
- `CreatedAt Time`
Date and time at which the target was created
- `Hostname string`
A non-unique field that refers to a target
- `IP AccessInfrastructureTargetGetResponseIP`
The IPv4/IPv6 address that identifies where to reach a target
- `IPV4 AccessInfrastructureTargetGetResponseIPIPV4`
The target's IPv4 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `IPV6 AccessInfrastructureTargetGetResponseIPIPV6`
The target's IPv6 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ModifiedAt Time`
Date and time at which the target was modified
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
target, err := client.ZeroTrust.Access.Infrastructure.Targets.Get(
context.TODO(),
"182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
zero_trust.AccessInfrastructureTargetGetParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", target.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
}
```
## Create new target
`client.ZeroTrust.Access.Infrastructure.Targets.New(ctx, params) (*AccessInfrastructureTargetNewResponse, error)`
**post** `/accounts/{account_id}/infrastructure/targets`
Create new target
### Parameters
- `params AccessInfrastructureTargetNewParams`
- `AccountID param.Field[string]`
Path param: Account identifier
- `Hostname param.Field[string]`
Body param: A non-unique field that refers to a target. Case insensitive, maximum
length of 255 characters, supports the use of special characters dash
and period, does not support spaces, and must start and end with an
alphanumeric character.
- `IP param.Field[AccessInfrastructureTargetNewParamsIP]`
Body param: The IPv4/IPv6 address that identifies where to reach a target
- `IPV4 AccessInfrastructureTargetNewParamsIPIPV4`
The target's IPv4 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `IPV6 AccessInfrastructureTargetNewParamsIPIPV6`
The target's IPv6 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
### Returns
- `type AccessInfrastructureTargetNewResponse struct{…}`
- `ID string`
Target identifier
- `CreatedAt Time`
Date and time at which the target was created
- `Hostname string`
A non-unique field that refers to a target
- `IP AccessInfrastructureTargetNewResponseIP`
The IPv4/IPv6 address that identifies where to reach a target
- `IPV4 AccessInfrastructureTargetNewResponseIPIPV4`
The target's IPv4 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `IPV6 AccessInfrastructureTargetNewResponseIPIPV6`
The target's IPv6 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ModifiedAt Time`
Date and time at which the target was modified
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
target, err := client.ZeroTrust.Access.Infrastructure.Targets.New(context.TODO(), zero_trust.AccessInfrastructureTargetNewParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
Hostname: cloudflare.F("infra-access-target"),
IP: cloudflare.F(zero_trust.AccessInfrastructureTargetNewParamsIP{
}),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", target.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
}
```
## Update target
`client.ZeroTrust.Access.Infrastructure.Targets.Update(ctx, targetID, params) (*AccessInfrastructureTargetUpdateResponse, error)`
**put** `/accounts/{account_id}/infrastructure/targets/{target_id}`
Update target
### Parameters
- `targetID string`
Target identifier
- `params AccessInfrastructureTargetUpdateParams`
- `AccountID param.Field[string]`
Path param: Account identifier
- `Hostname param.Field[string]`
Body param: A non-unique field that refers to a target. Case insensitive, maximum
length of 255 characters, supports the use of special characters dash
and period, does not support spaces, and must start and end with an
alphanumeric character.
- `IP param.Field[AccessInfrastructureTargetUpdateParamsIP]`
Body param: The IPv4/IPv6 address that identifies where to reach a target
- `IPV4 AccessInfrastructureTargetUpdateParamsIPIPV4`
The target's IPv4 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `IPV6 AccessInfrastructureTargetUpdateParamsIPIPV6`
The target's IPv6 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
### Returns
- `type AccessInfrastructureTargetUpdateResponse struct{…}`
- `ID string`
Target identifier
- `CreatedAt Time`
Date and time at which the target was created
- `Hostname string`
A non-unique field that refers to a target
- `IP AccessInfrastructureTargetUpdateResponseIP`
The IPv4/IPv6 address that identifies where to reach a target
- `IPV4 AccessInfrastructureTargetUpdateResponseIPIPV4`
The target's IPv4 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `IPV6 AccessInfrastructureTargetUpdateResponseIPIPV6`
The target's IPv6 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ModifiedAt Time`
Date and time at which the target was modified
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
target, err := client.ZeroTrust.Access.Infrastructure.Targets.Update(
context.TODO(),
"182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
zero_trust.AccessInfrastructureTargetUpdateParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
Hostname: cloudflare.F("infra-access-target"),
IP: cloudflare.F(zero_trust.AccessInfrastructureTargetUpdateParamsIP{
}),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", target.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
}
```
## Delete target
`client.ZeroTrust.Access.Infrastructure.Targets.Delete(ctx, targetID, body) error`
**delete** `/accounts/{account_id}/infrastructure/targets/{target_id}`
Delete target
### Parameters
- `targetID string`
Target identifier
- `body AccessInfrastructureTargetDeleteParams`
- `AccountID param.Field[string]`
Account identifier
### Example
```go
package main
import (
"context"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
err := client.ZeroTrust.Access.Infrastructure.Targets.Delete(
context.TODO(),
"182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
zero_trust.AccessInfrastructureTargetDeleteParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
}
```
## Create new targets
`client.ZeroTrust.Access.Infrastructure.Targets.BulkUpdate(ctx, params) (*SinglePage[AccessInfrastructureTargetBulkUpdateResponse], error)`
**put** `/accounts/{account_id}/infrastructure/targets/batch`
Adds one or more targets.
### Parameters
- `params AccessInfrastructureTargetBulkUpdateParams`
- `AccountID param.Field[string]`
Path param: Account identifier
- `Body param.Field[[]AccessInfrastructureTargetBulkUpdateParamsBody]`
Body param
- `Hostname string`
A non-unique field that refers to a target. Case insensitive, maximum
length of 255 characters, supports the use of special characters dash
and period, does not support spaces, and must start and end with an
alphanumeric character.
- `IP AccessInfrastructureTargetBulkUpdateParamsBodyIP`
The IPv4/IPv6 address that identifies where to reach a target
- `IPV4 AccessInfrastructureTargetBulkUpdateParamsBodyIPIPV4`
The target's IPv4 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `IPV6 AccessInfrastructureTargetBulkUpdateParamsBodyIPIPV6`
The target's IPv6 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
### Returns
- `type AccessInfrastructureTargetBulkUpdateResponse struct{…}`
- `ID string`
Target identifier
- `CreatedAt Time`
Date and time at which the target was created
- `Hostname string`
A non-unique field that refers to a target
- `IP AccessInfrastructureTargetBulkUpdateResponseIP`
The IPv4/IPv6 address that identifies where to reach a target
- `IPV4 AccessInfrastructureTargetBulkUpdateResponseIPIPV4`
The target's IPv4 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `IPV6 AccessInfrastructureTargetBulkUpdateResponseIPIPV6`
The target's IPv6 address
- `IPAddr string`
IP address of the target
- `VirtualNetworkID string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ModifiedAt Time`
Date and time at which the target was modified
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Infrastructure.Targets.BulkUpdate(context.TODO(), zero_trust.AccessInfrastructureTargetBulkUpdateParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
Body: []zero_trust.AccessInfrastructureTargetBulkUpdateParamsBody{zero_trust.AccessInfrastructureTargetBulkUpdateParamsBody{
Hostname: cloudflare.F("infra-access-target"),
IP: cloudflare.F(zero_trust.AccessInfrastructureTargetBulkUpdateParamsBodyIP{
}),
}},
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
]
}
```
## Delete targets (Deprecated)
`client.ZeroTrust.Access.Infrastructure.Targets.BulkDelete(ctx, body) error`
**delete** `/accounts/{account_id}/infrastructure/targets/batch`
Removes one or more targets.
### Parameters
- `body AccessInfrastructureTargetBulkDeleteParams`
- `AccountID param.Field[string]`
Account identifier
### Example
```go
package main
import (
"context"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
err := client.ZeroTrust.Access.Infrastructure.Targets.BulkDelete(context.TODO(), zero_trust.AccessInfrastructureTargetBulkDeleteParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
})
if err != nil {
panic(err.Error())
}
}
```
## Delete targets
`client.ZeroTrust.Access.Infrastructure.Targets.BulkDeleteV2(ctx, params) error`
**post** `/accounts/{account_id}/infrastructure/targets/batch_delete`
Removes one or more targets.
### Parameters
- `params AccessInfrastructureTargetBulkDeleteV2Params`
- `AccountID param.Field[string]`
Path param: Account identifier
- `TargetIDs param.Field[[]string]`
Body param: List of target IDs to bulk delete
### Example
```go
package main
import (
"context"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
err := client.ZeroTrust.Access.Infrastructure.Targets.BulkDeleteV2(context.TODO(), zero_trust.AccessInfrastructureTargetBulkDeleteV2Params{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
TargetIDs: cloudflare.F([]string{"182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"}),
})
if err != nil {
panic(err.Error())
}
}
```
# Applications
## List Access applications
`client.ZeroTrust.Access.Applications.List(ctx, params) (*V4PagePaginationArray[AccessApplicationListResponse], error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps`
Lists all Access applications in an account or zone.
### Parameters
- `params AccessApplicationListParams`
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `AUD param.Field[string]`
Query param: The aud of the app.
- `Domain param.Field[string]`
Query param: The domain of the app.
- `Exact param.Field[bool]`
Query param: True for only exact string matches against passed name/domain query parameters.
- `Name param.Field[string]`
Query param: The name of the app.
- `Page param.Field[int64]`
Query param: Page number of results.
- `PerPage param.Field[int64]`
Query param: Number of results per page.
- `Search param.Field[string]`
Query param: Search for apps by other listed query parameters.
- `TargetAttributes param.Field[string]`
Query param: Target Criteria attributes in key=value format.
### Returns
- `type AccessApplicationListResponse interface{…}`
- `type AccessApplicationListResponseSelfHostedApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type ApplicationType`
The application type.
- `const ApplicationTypeSelfHosted ApplicationType = "self_hosted"`
- `const ApplicationTypeSaaS ApplicationType = "saas"`
- `const ApplicationTypeSSH ApplicationType = "ssh"`
- `const ApplicationTypeVNC ApplicationType = "vnc"`
- `const ApplicationTypeAppLauncher ApplicationType = "app_launcher"`
- `const ApplicationTypeWARP ApplicationType = "warp"`
- `const ApplicationTypeBISO ApplicationType = "biso"`
- `const ApplicationTypeBookmark ApplicationType = "bookmark"`
- `const ApplicationTypeDashSSO ApplicationType = "dash_sso"`
- `const ApplicationTypeInfrastructure ApplicationType = "infrastructure"`
- `const ApplicationTypeRDP ApplicationType = "rdp"`
- `const ApplicationTypeMcp ApplicationType = "mcp"`
- `const ApplicationTypeMcpPortal ApplicationType = "mcp_portal"`
- `const ApplicationTypeProxyEndpoint ApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `AllowAllHeaders bool`
Allows all HTTP request headers.
- `AllowAllMethods bool`
Allows all HTTP request methods.
- `AllowAllOrigins bool`
Allows all origins.
- `AllowCredentials bool`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `AllowedHeaders []AllowedHeaders`
Allowed HTTP request headers.
- `AllowedMethods []AllowedMethods`
Allowed HTTP request methods.
- `const AllowedMethodsGet AllowedMethods = "GET"`
- `const AllowedMethodsPost AllowedMethods = "POST"`
- `const AllowedMethodsHead AllowedMethods = "HEAD"`
- `const AllowedMethodsPut AllowedMethods = "PUT"`
- `const AllowedMethodsDelete AllowedMethods = "DELETE"`
- `const AllowedMethodsConnect AllowedMethods = "CONNECT"`
- `const AllowedMethodsOptions AllowedMethods = "OPTIONS"`
- `const AllowedMethodsTrace AllowedMethods = "TRACE"`
- `const AllowedMethodsPatch AllowedMethods = "PATCH"`
- `AllowedOrigins []AllowedOrigins`
Allowed origins.
- `MaxAge float64`
The maximum number of seconds the results of a preflight request can be cached.
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationListResponseSelfHostedApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationListResponseSelfHostedApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationListResponseSelfHostedApplicationDestinationsPublicDestinationType`
- `const AccessApplicationListResponseSelfHostedApplicationDestinationsPublicDestinationTypePublic AccessApplicationListResponseSelfHostedApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationListResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationListResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationListResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationListResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationListResponseSelfHostedApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationListResponseSelfHostedApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationListResponseSelfHostedApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationListResponseSelfHostedApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationListResponseSelfHostedApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationListResponseSelfHostedApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `Password string`
Password used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationHTTPBasicScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"`
- `User string`
User name used to authenticate with the remote SCIM service.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `Token string`
Token used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"`
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AuthorizationURL string`
URL used to generate the auth code used during token generation.
- `ClientID string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `ClientSecret string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `Scheme SCIMConfigAuthenticationOauth2Scheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"`
- `TokenURL string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `Scopes []string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `type AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Create bool`
Whether or not this mapping applies to create (POST) operations.
- `Delete bool`
Whether or not this mapping applies to DELETE operations.
- `Update bool`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"`
- `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"`
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationListResponseSaaSApplication struct{…}`
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `Policies []AccessApplicationListResponseSaaSApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationListResponseSaaSApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationListResponseSaaSApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SaaSApp AccessApplicationListResponseSaaSApplicationSaaSApp`
- `type SAMLSaaSApp struct{…}`
- `AuthType SAMLSaaSAppAuthType`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `const SAMLSaaSAppAuthTypeSAML SAMLSaaSAppAuthType = "saml"`
- `const SAMLSaaSAppAuthTypeOIDC SAMLSaaSAppAuthType = "oidc"`
- `ConsumerServiceURL string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `CustomAttributes []SAMLSaaSAppCustomAttribute`
- `FriendlyName string`
The SAML FriendlyName of the attribute.
- `Name string`
The name of the attribute.
- `NameFormat SAMLSaaSAppCustomAttributesNameFormat`
A globally unique name for an identity or service provider.
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `Required bool`
If the attribute is required when building a SAML assertion.
- `Source SAMLSaaSAppCustomAttributesSource`
- `Name string`
The name of the IdP attribute.
- `NameByIdP []SAMLSaaSAppCustomAttributesSourceNameByIdP`
A mapping from IdP ID to attribute name.
- `IdPID string`
The UID of the IdP.
- `SourceName string`
The name of the IdP provided attribute.
- `DefaultRelayState string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `IdPEntityID string`
The unique identifier for your SaaS application.
- `NameIDFormat SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"`
- `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"`
- `NameIDTransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `PublicKey string`
The Access public certificate that will be used to verify your identity.
- `SAMLAttributeTransformJsonata string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `SPEntityID string`
A globally unique name for an identity or service provider.
- `SSOEndpoint string`
The endpoint where your SaaS application will send login requests.
- `type OIDCSaaSApp struct{…}`
- `AccessTokenLifetime string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `AllowPKCEWithoutClientSecret bool`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `AppLauncherURL string`
The URL where this applications tile redirects users
- `AuthType OIDCSaaSAppAuthType`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `const OIDCSaaSAppAuthTypeSAML OIDCSaaSAppAuthType = "saml"`
- `const OIDCSaaSAppAuthTypeOIDC OIDCSaaSAppAuthType = "oidc"`
- `ClientID string`
The application client id
- `ClientSecret string`
The application client secret, only returned on POST request.
- `CustomClaims []OIDCSaaSAppCustomClaim`
- `Name string`
The name of the claim.
- `Required bool`
If the claim is required when building an OIDC token.
- `Scope OIDCSaaSAppCustomClaimsScope`
The scope of the claim.
- `const OIDCSaaSAppCustomClaimsScopeGroups OIDCSaaSAppCustomClaimsScope = "groups"`
- `const OIDCSaaSAppCustomClaimsScopeProfile OIDCSaaSAppCustomClaimsScope = "profile"`
- `const OIDCSaaSAppCustomClaimsScopeEmail OIDCSaaSAppCustomClaimsScope = "email"`
- `const OIDCSaaSAppCustomClaimsScopeOpenid OIDCSaaSAppCustomClaimsScope = "openid"`
- `Source OIDCSaaSAppCustomClaimsSource`
- `Name string`
The name of the IdP claim.
- `NameByIdP map[string, string]`
A mapping from IdP ID to claim name.
- `GrantTypes []OIDCSaaSAppGrantType`
The OIDC flows supported by this application
- `const OIDCSaaSAppGrantTypeAuthorizationCode OIDCSaaSAppGrantType = "authorization_code"`
- `const OIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE OIDCSaaSAppGrantType = "authorization_code_with_pkce"`
- `const OIDCSaaSAppGrantTypeRefreshTokens OIDCSaaSAppGrantType = "refresh_tokens"`
- `const OIDCSaaSAppGrantTypeHybrid OIDCSaaSAppGrantType = "hybrid"`
- `const OIDCSaaSAppGrantTypeImplicit OIDCSaaSAppGrantType = "implicit"`
- `GroupFilterRegex string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `HybridAndImplicitOptions OIDCSaaSAppHybridAndImplicitOptions`
- `ReturnAccessTokenFromAuthorizationEndpoint bool`
If an Access Token should be returned from the OIDC Authorization endpoint
- `ReturnIDTokenFromAuthorizationEndpoint bool`
If an ID Token should be returned from the OIDC Authorization endpoint
- `PublicKey string`
The Access public certificate that will be used to verify your identity.
- `RedirectURIs []string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `RefreshTokenOptions OIDCSaaSAppRefreshTokenOptions`
- `Lifetime string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `Scopes []OIDCSaaSAppScope`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `const OIDCSaaSAppScopeOpenid OIDCSaaSAppScope = "openid"`
- `const OIDCSaaSAppScopeGroups OIDCSaaSAppScope = "groups"`
- `const OIDCSaaSAppScopeEmail OIDCSaaSAppScope = "email"`
- `const OIDCSaaSAppScopeProfile OIDCSaaSAppScope = "profile"`
- `SCIMConfig AccessApplicationListResponseSaaSApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `Type ApplicationType`
The application type.
- `type AccessApplicationListResponseBrowserSSHApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type AccessApplicationListResponseBrowserSSHApplicationType`
The application type.
- `const AccessApplicationListResponseBrowserSSHApplicationTypeSelfHosted AccessApplicationListResponseBrowserSSHApplicationType = "self_hosted"`
- `const AccessApplicationListResponseBrowserSSHApplicationTypeSaaS AccessApplicationListResponseBrowserSSHApplicationType = "saas"`
- `const AccessApplicationListResponseBrowserSSHApplicationTypeSSH AccessApplicationListResponseBrowserSSHApplicationType = "ssh"`
- `const AccessApplicationListResponseBrowserSSHApplicationTypeVNC AccessApplicationListResponseBrowserSSHApplicationType = "vnc"`
- `const AccessApplicationListResponseBrowserSSHApplicationTypeAppLauncher AccessApplicationListResponseBrowserSSHApplicationType = "app_launcher"`
- `const AccessApplicationListResponseBrowserSSHApplicationTypeWARP AccessApplicationListResponseBrowserSSHApplicationType = "warp"`
- `const AccessApplicationListResponseBrowserSSHApplicationTypeBISO AccessApplicationListResponseBrowserSSHApplicationType = "biso"`
- `const AccessApplicationListResponseBrowserSSHApplicationTypeBookmark AccessApplicationListResponseBrowserSSHApplicationType = "bookmark"`
- `const AccessApplicationListResponseBrowserSSHApplicationTypeDashSSO AccessApplicationListResponseBrowserSSHApplicationType = "dash_sso"`
- `const AccessApplicationListResponseBrowserSSHApplicationTypeInfrastructure AccessApplicationListResponseBrowserSSHApplicationType = "infrastructure"`
- `const AccessApplicationListResponseBrowserSSHApplicationTypeRDP AccessApplicationListResponseBrowserSSHApplicationType = "rdp"`
- `const AccessApplicationListResponseBrowserSSHApplicationTypeMcp AccessApplicationListResponseBrowserSSHApplicationType = "mcp"`
- `const AccessApplicationListResponseBrowserSSHApplicationTypeMcpPortal AccessApplicationListResponseBrowserSSHApplicationType = "mcp_portal"`
- `const AccessApplicationListResponseBrowserSSHApplicationTypeProxyEndpoint AccessApplicationListResponseBrowserSSHApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationListResponseBrowserSSHApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationListResponseBrowserSSHApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationListResponseBrowserSSHApplicationDestinationsPublicDestinationType`
- `const AccessApplicationListResponseBrowserSSHApplicationDestinationsPublicDestinationTypePublic AccessApplicationListResponseBrowserSSHApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationListResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationListResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationListResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationListResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationListResponseBrowserSSHApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationListResponseBrowserSSHApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationListResponseBrowserSSHApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationListResponseBrowserSSHApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationListResponseBrowserSSHApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationListResponseBrowserSSHApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationListResponseBrowserVNCApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type AccessApplicationListResponseBrowserVNCApplicationType`
The application type.
- `const AccessApplicationListResponseBrowserVNCApplicationTypeSelfHosted AccessApplicationListResponseBrowserVNCApplicationType = "self_hosted"`
- `const AccessApplicationListResponseBrowserVNCApplicationTypeSaaS AccessApplicationListResponseBrowserVNCApplicationType = "saas"`
- `const AccessApplicationListResponseBrowserVNCApplicationTypeSSH AccessApplicationListResponseBrowserVNCApplicationType = "ssh"`
- `const AccessApplicationListResponseBrowserVNCApplicationTypeVNC AccessApplicationListResponseBrowserVNCApplicationType = "vnc"`
- `const AccessApplicationListResponseBrowserVNCApplicationTypeAppLauncher AccessApplicationListResponseBrowserVNCApplicationType = "app_launcher"`
- `const AccessApplicationListResponseBrowserVNCApplicationTypeWARP AccessApplicationListResponseBrowserVNCApplicationType = "warp"`
- `const AccessApplicationListResponseBrowserVNCApplicationTypeBISO AccessApplicationListResponseBrowserVNCApplicationType = "biso"`
- `const AccessApplicationListResponseBrowserVNCApplicationTypeBookmark AccessApplicationListResponseBrowserVNCApplicationType = "bookmark"`
- `const AccessApplicationListResponseBrowserVNCApplicationTypeDashSSO AccessApplicationListResponseBrowserVNCApplicationType = "dash_sso"`
- `const AccessApplicationListResponseBrowserVNCApplicationTypeInfrastructure AccessApplicationListResponseBrowserVNCApplicationType = "infrastructure"`
- `const AccessApplicationListResponseBrowserVNCApplicationTypeRDP AccessApplicationListResponseBrowserVNCApplicationType = "rdp"`
- `const AccessApplicationListResponseBrowserVNCApplicationTypeMcp AccessApplicationListResponseBrowserVNCApplicationType = "mcp"`
- `const AccessApplicationListResponseBrowserVNCApplicationTypeMcpPortal AccessApplicationListResponseBrowserVNCApplicationType = "mcp_portal"`
- `const AccessApplicationListResponseBrowserVNCApplicationTypeProxyEndpoint AccessApplicationListResponseBrowserVNCApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationListResponseBrowserVNCApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationListResponseBrowserVNCApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationListResponseBrowserVNCApplicationDestinationsPublicDestinationType`
- `const AccessApplicationListResponseBrowserVNCApplicationDestinationsPublicDestinationTypePublic AccessApplicationListResponseBrowserVNCApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationListResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationListResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationListResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationListResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationListResponseBrowserVNCApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationListResponseBrowserVNCApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationListResponseBrowserVNCApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationListResponseBrowserVNCApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationListResponseBrowserVNCApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationListResponseBrowserVNCApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationListResponseAppLauncherApplication struct{…}`
- `Type AccessApplicationListResponseAppLauncherApplicationType`
The application type.
- `const AccessApplicationListResponseAppLauncherApplicationTypeSelfHosted AccessApplicationListResponseAppLauncherApplicationType = "self_hosted"`
- `const AccessApplicationListResponseAppLauncherApplicationTypeSaaS AccessApplicationListResponseAppLauncherApplicationType = "saas"`
- `const AccessApplicationListResponseAppLauncherApplicationTypeSSH AccessApplicationListResponseAppLauncherApplicationType = "ssh"`
- `const AccessApplicationListResponseAppLauncherApplicationTypeVNC AccessApplicationListResponseAppLauncherApplicationType = "vnc"`
- `const AccessApplicationListResponseAppLauncherApplicationTypeAppLauncher AccessApplicationListResponseAppLauncherApplicationType = "app_launcher"`
- `const AccessApplicationListResponseAppLauncherApplicationTypeWARP AccessApplicationListResponseAppLauncherApplicationType = "warp"`
- `const AccessApplicationListResponseAppLauncherApplicationTypeBISO AccessApplicationListResponseAppLauncherApplicationType = "biso"`
- `const AccessApplicationListResponseAppLauncherApplicationTypeBookmark AccessApplicationListResponseAppLauncherApplicationType = "bookmark"`
- `const AccessApplicationListResponseAppLauncherApplicationTypeDashSSO AccessApplicationListResponseAppLauncherApplicationType = "dash_sso"`
- `const AccessApplicationListResponseAppLauncherApplicationTypeInfrastructure AccessApplicationListResponseAppLauncherApplicationType = "infrastructure"`
- `const AccessApplicationListResponseAppLauncherApplicationTypeRDP AccessApplicationListResponseAppLauncherApplicationType = "rdp"`
- `const AccessApplicationListResponseAppLauncherApplicationTypeMcp AccessApplicationListResponseAppLauncherApplicationType = "mcp"`
- `const AccessApplicationListResponseAppLauncherApplicationTypeMcpPortal AccessApplicationListResponseAppLauncherApplicationType = "mcp_portal"`
- `const AccessApplicationListResponseAppLauncherApplicationTypeProxyEndpoint AccessApplicationListResponseAppLauncherApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherLogoURL string`
The image URL of the logo shown in the App Launcher header.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `BgColor string`
The background color of the App Launcher page.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `FooterLinks []AccessApplicationListResponseAppLauncherApplicationFooterLink`
The links in the App Launcher footer.
- `Name string`
The hypertext in the footer link.
- `URL string`
the hyperlink in the footer link.
- `HeaderBgColor string`
The background color of the App Launcher header.
- `LandingPageDesign AccessApplicationListResponseAppLauncherApplicationLandingPageDesign`
The design of the App Launcher landing page shown to users when they log in.
- `ButtonColor string`
The background color of the log in button on the landing page.
- `ButtonTextColor string`
The color of the text in the log in button on the landing page.
- `ImageURL string`
The URL of the image shown on the landing page.
- `Message string`
The message shown on the landing page.
- `Title string`
The title shown on the landing page.
- `Name string`
The name of the application.
- `Policies []AccessApplicationListResponseAppLauncherApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipAppLauncherLoginPage bool`
Determines when to skip the App Launcher landing page.
- `type AccessApplicationListResponseDeviceEnrollmentPermissionsApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Name string`
The name of the application.
- `Policies []AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `type AccessApplicationListResponseBrowserIsolationPermissionsApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Name string`
The name of the application.
- `Policies []AccessApplicationListResponseBrowserIsolationPermissionsApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `type AccessApplicationListResponseGatewayIdentityProxyEndpointApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `Name string`
The name of the application.
- `Policies []AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `type AccessApplicationListResponseBookmarkApplication struct{…}`
- `ID string`
UUID.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `Domain string`
The URL or domain of the bookmark.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `Policies []AccessApplicationListResponseBookmarkApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `Type ApplicationType`
The application type.
- `type AccessApplicationListResponseInfrastructureApplication struct{…}`
- `TargetCriteria []AccessApplicationListResponseInfrastructureApplicationTargetCriterion`
- `Port int64`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `Protocol AccessApplicationListResponseInfrastructureApplicationTargetCriteriaProtocol`
The communication protocol your application secures.
- `const AccessApplicationListResponseInfrastructureApplicationTargetCriteriaProtocolSSH AccessApplicationListResponseInfrastructureApplicationTargetCriteriaProtocol = "SSH"`
- `TargetAttributes map[string, []string]`
Contains a map of target attribute keys to target attribute values.
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AUD string`
Audience tag.
- `Name string`
The name of the application.
- `Policies []AccessApplicationListResponseInfrastructureApplicationPolicy`
- `ID string`
The UUID of the policy
- `ConnectionRules AccessApplicationListResponseInfrastructureApplicationPoliciesConnectionRules`
The rules that define how users may connect to the targets secured by your application.
- `SSH AccessApplicationListResponseInfrastructureApplicationPoliciesConnectionRulesSSH`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `Usernames []string`
Contains the Unix usernames that may be used when connecting over SSH.
- `AllowEmailAlias bool`
Enables using Identity Provider email alias as SSH username.
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Name string`
The name of the Access policy.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UpdatedAt Time`
- `type AccessApplicationListResponseBrowserRDPApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `TargetCriteria []AccessApplicationListResponseBrowserRDPApplicationTargetCriterion`
- `Port int64`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `Protocol AccessApplicationListResponseBrowserRDPApplicationTargetCriteriaProtocol`
The communication protocol your application secures.
- `const AccessApplicationListResponseBrowserRDPApplicationTargetCriteriaProtocolRDP AccessApplicationListResponseBrowserRDPApplicationTargetCriteriaProtocol = "RDP"`
- `TargetAttributes map[string, []string]`
Contains a map of target attribute keys to target attribute values.
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationListResponseBrowserRDPApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationListResponseBrowserRDPApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationListResponseBrowserRDPApplicationDestinationsPublicDestinationType`
- `const AccessApplicationListResponseBrowserRDPApplicationDestinationsPublicDestinationTypePublic AccessApplicationListResponseBrowserRDPApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationListResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationListResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationListResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationListResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationListResponseBrowserRDPApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationListResponseBrowserRDPApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationListResponseBrowserRDPApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationListResponseBrowserRDPApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationListResponseBrowserRDPApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationListResponseBrowserRDPApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationListResponseMcpServerApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationListResponseMcpServerApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationListResponseMcpServerApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationListResponseMcpServerApplicationDestinationsPublicDestinationType`
- `const AccessApplicationListResponseMcpServerApplicationDestinationsPublicDestinationTypePublic AccessApplicationListResponseMcpServerApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationListResponseMcpServerApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationListResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationListResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationListResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationListResponseMcpServerApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationListResponseMcpServerApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationListResponseMcpServerApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `Policies []AccessApplicationListResponseMcpServerApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationListResponseMcpServerApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type AccessApplicationListResponseMcpServerPortalApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationListResponseMcpServerPortalApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationListResponseMcpServerPortalApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationListResponseMcpServerPortalApplicationDestinationsPublicDestinationType`
- `const AccessApplicationListResponseMcpServerPortalApplicationDestinationsPublicDestinationTypePublic AccessApplicationListResponseMcpServerPortalApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationListResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationListResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationListResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationListResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationListResponseMcpServerPortalApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationListResponseMcpServerPortalApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationListResponseMcpServerPortalApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `Policies []AccessApplicationListResponseMcpServerPortalApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationListResponseMcpServerPortalApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Applications.List(context.TODO(), zero_trust.AccessApplicationListParams{
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an Access application
`client.ZeroTrust.Access.Applications.Get(ctx, appID, query) (*AccessApplicationGetResponse, error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}`
Fetches information about an Access application.
### Parameters
- `AppID AppID`
Identifier.
- `query AccessApplicationGetParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type AccessApplicationGetResponse interface{…}`
- `type AccessApplicationGetResponseSelfHostedApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type ApplicationType`
The application type.
- `const ApplicationTypeSelfHosted ApplicationType = "self_hosted"`
- `const ApplicationTypeSaaS ApplicationType = "saas"`
- `const ApplicationTypeSSH ApplicationType = "ssh"`
- `const ApplicationTypeVNC ApplicationType = "vnc"`
- `const ApplicationTypeAppLauncher ApplicationType = "app_launcher"`
- `const ApplicationTypeWARP ApplicationType = "warp"`
- `const ApplicationTypeBISO ApplicationType = "biso"`
- `const ApplicationTypeBookmark ApplicationType = "bookmark"`
- `const ApplicationTypeDashSSO ApplicationType = "dash_sso"`
- `const ApplicationTypeInfrastructure ApplicationType = "infrastructure"`
- `const ApplicationTypeRDP ApplicationType = "rdp"`
- `const ApplicationTypeMcp ApplicationType = "mcp"`
- `const ApplicationTypeMcpPortal ApplicationType = "mcp_portal"`
- `const ApplicationTypeProxyEndpoint ApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `AllowAllHeaders bool`
Allows all HTTP request headers.
- `AllowAllMethods bool`
Allows all HTTP request methods.
- `AllowAllOrigins bool`
Allows all origins.
- `AllowCredentials bool`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `AllowedHeaders []AllowedHeaders`
Allowed HTTP request headers.
- `AllowedMethods []AllowedMethods`
Allowed HTTP request methods.
- `const AllowedMethodsGet AllowedMethods = "GET"`
- `const AllowedMethodsPost AllowedMethods = "POST"`
- `const AllowedMethodsHead AllowedMethods = "HEAD"`
- `const AllowedMethodsPut AllowedMethods = "PUT"`
- `const AllowedMethodsDelete AllowedMethods = "DELETE"`
- `const AllowedMethodsConnect AllowedMethods = "CONNECT"`
- `const AllowedMethodsOptions AllowedMethods = "OPTIONS"`
- `const AllowedMethodsTrace AllowedMethods = "TRACE"`
- `const AllowedMethodsPatch AllowedMethods = "PATCH"`
- `AllowedOrigins []AllowedOrigins`
Allowed origins.
- `MaxAge float64`
The maximum number of seconds the results of a preflight request can be cached.
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationGetResponseSelfHostedApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationGetResponseSelfHostedApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationGetResponseSelfHostedApplicationDestinationsPublicDestinationType`
- `const AccessApplicationGetResponseSelfHostedApplicationDestinationsPublicDestinationTypePublic AccessApplicationGetResponseSelfHostedApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationGetResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationGetResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationGetResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationGetResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationGetResponseSelfHostedApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationGetResponseSelfHostedApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationGetResponseSelfHostedApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationGetResponseSelfHostedApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationGetResponseSelfHostedApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationGetResponseSelfHostedApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `Password string`
Password used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationHTTPBasicScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"`
- `User string`
User name used to authenticate with the remote SCIM service.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `Token string`
Token used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"`
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AuthorizationURL string`
URL used to generate the auth code used during token generation.
- `ClientID string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `ClientSecret string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `Scheme SCIMConfigAuthenticationOauth2Scheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"`
- `TokenURL string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `Scopes []string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `type AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Create bool`
Whether or not this mapping applies to create (POST) operations.
- `Delete bool`
Whether or not this mapping applies to DELETE operations.
- `Update bool`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"`
- `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"`
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationGetResponseSaaSApplication struct{…}`
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `Policies []AccessApplicationGetResponseSaaSApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SaaSApp AccessApplicationGetResponseSaaSApplicationSaaSApp`
- `type SAMLSaaSApp struct{…}`
- `AuthType SAMLSaaSAppAuthType`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `const SAMLSaaSAppAuthTypeSAML SAMLSaaSAppAuthType = "saml"`
- `const SAMLSaaSAppAuthTypeOIDC SAMLSaaSAppAuthType = "oidc"`
- `ConsumerServiceURL string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `CustomAttributes []SAMLSaaSAppCustomAttribute`
- `FriendlyName string`
The SAML FriendlyName of the attribute.
- `Name string`
The name of the attribute.
- `NameFormat SAMLSaaSAppCustomAttributesNameFormat`
A globally unique name for an identity or service provider.
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `Required bool`
If the attribute is required when building a SAML assertion.
- `Source SAMLSaaSAppCustomAttributesSource`
- `Name string`
The name of the IdP attribute.
- `NameByIdP []SAMLSaaSAppCustomAttributesSourceNameByIdP`
A mapping from IdP ID to attribute name.
- `IdPID string`
The UID of the IdP.
- `SourceName string`
The name of the IdP provided attribute.
- `DefaultRelayState string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `IdPEntityID string`
The unique identifier for your SaaS application.
- `NameIDFormat SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"`
- `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"`
- `NameIDTransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `PublicKey string`
The Access public certificate that will be used to verify your identity.
- `SAMLAttributeTransformJsonata string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `SPEntityID string`
A globally unique name for an identity or service provider.
- `SSOEndpoint string`
The endpoint where your SaaS application will send login requests.
- `type OIDCSaaSApp struct{…}`
- `AccessTokenLifetime string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `AllowPKCEWithoutClientSecret bool`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `AppLauncherURL string`
The URL where this applications tile redirects users
- `AuthType OIDCSaaSAppAuthType`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `const OIDCSaaSAppAuthTypeSAML OIDCSaaSAppAuthType = "saml"`
- `const OIDCSaaSAppAuthTypeOIDC OIDCSaaSAppAuthType = "oidc"`
- `ClientID string`
The application client id
- `ClientSecret string`
The application client secret, only returned on POST request.
- `CustomClaims []OIDCSaaSAppCustomClaim`
- `Name string`
The name of the claim.
- `Required bool`
If the claim is required when building an OIDC token.
- `Scope OIDCSaaSAppCustomClaimsScope`
The scope of the claim.
- `const OIDCSaaSAppCustomClaimsScopeGroups OIDCSaaSAppCustomClaimsScope = "groups"`
- `const OIDCSaaSAppCustomClaimsScopeProfile OIDCSaaSAppCustomClaimsScope = "profile"`
- `const OIDCSaaSAppCustomClaimsScopeEmail OIDCSaaSAppCustomClaimsScope = "email"`
- `const OIDCSaaSAppCustomClaimsScopeOpenid OIDCSaaSAppCustomClaimsScope = "openid"`
- `Source OIDCSaaSAppCustomClaimsSource`
- `Name string`
The name of the IdP claim.
- `NameByIdP map[string, string]`
A mapping from IdP ID to claim name.
- `GrantTypes []OIDCSaaSAppGrantType`
The OIDC flows supported by this application
- `const OIDCSaaSAppGrantTypeAuthorizationCode OIDCSaaSAppGrantType = "authorization_code"`
- `const OIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE OIDCSaaSAppGrantType = "authorization_code_with_pkce"`
- `const OIDCSaaSAppGrantTypeRefreshTokens OIDCSaaSAppGrantType = "refresh_tokens"`
- `const OIDCSaaSAppGrantTypeHybrid OIDCSaaSAppGrantType = "hybrid"`
- `const OIDCSaaSAppGrantTypeImplicit OIDCSaaSAppGrantType = "implicit"`
- `GroupFilterRegex string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `HybridAndImplicitOptions OIDCSaaSAppHybridAndImplicitOptions`
- `ReturnAccessTokenFromAuthorizationEndpoint bool`
If an Access Token should be returned from the OIDC Authorization endpoint
- `ReturnIDTokenFromAuthorizationEndpoint bool`
If an ID Token should be returned from the OIDC Authorization endpoint
- `PublicKey string`
The Access public certificate that will be used to verify your identity.
- `RedirectURIs []string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `RefreshTokenOptions OIDCSaaSAppRefreshTokenOptions`
- `Lifetime string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `Scopes []OIDCSaaSAppScope`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `const OIDCSaaSAppScopeOpenid OIDCSaaSAppScope = "openid"`
- `const OIDCSaaSAppScopeGroups OIDCSaaSAppScope = "groups"`
- `const OIDCSaaSAppScopeEmail OIDCSaaSAppScope = "email"`
- `const OIDCSaaSAppScopeProfile OIDCSaaSAppScope = "profile"`
- `SCIMConfig AccessApplicationGetResponseSaaSApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `Type ApplicationType`
The application type.
- `type AccessApplicationGetResponseBrowserSSHApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type AccessApplicationGetResponseBrowserSSHApplicationType`
The application type.
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeSelfHosted AccessApplicationGetResponseBrowserSSHApplicationType = "self_hosted"`
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeSaaS AccessApplicationGetResponseBrowserSSHApplicationType = "saas"`
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeSSH AccessApplicationGetResponseBrowserSSHApplicationType = "ssh"`
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeVNC AccessApplicationGetResponseBrowserSSHApplicationType = "vnc"`
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeAppLauncher AccessApplicationGetResponseBrowserSSHApplicationType = "app_launcher"`
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeWARP AccessApplicationGetResponseBrowserSSHApplicationType = "warp"`
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeBISO AccessApplicationGetResponseBrowserSSHApplicationType = "biso"`
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeBookmark AccessApplicationGetResponseBrowserSSHApplicationType = "bookmark"`
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeDashSSO AccessApplicationGetResponseBrowserSSHApplicationType = "dash_sso"`
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeInfrastructure AccessApplicationGetResponseBrowserSSHApplicationType = "infrastructure"`
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeRDP AccessApplicationGetResponseBrowserSSHApplicationType = "rdp"`
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeMcp AccessApplicationGetResponseBrowserSSHApplicationType = "mcp"`
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeMcpPortal AccessApplicationGetResponseBrowserSSHApplicationType = "mcp_portal"`
- `const AccessApplicationGetResponseBrowserSSHApplicationTypeProxyEndpoint AccessApplicationGetResponseBrowserSSHApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationGetResponseBrowserSSHApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationGetResponseBrowserSSHApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationGetResponseBrowserSSHApplicationDestinationsPublicDestinationType`
- `const AccessApplicationGetResponseBrowserSSHApplicationDestinationsPublicDestinationTypePublic AccessApplicationGetResponseBrowserSSHApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationGetResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationGetResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationGetResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationGetResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationGetResponseBrowserSSHApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationGetResponseBrowserSSHApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationGetResponseBrowserSSHApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationGetResponseBrowserSSHApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationGetResponseBrowserSSHApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationGetResponseBrowserSSHApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationGetResponseBrowserVNCApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type AccessApplicationGetResponseBrowserVNCApplicationType`
The application type.
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeSelfHosted AccessApplicationGetResponseBrowserVNCApplicationType = "self_hosted"`
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeSaaS AccessApplicationGetResponseBrowserVNCApplicationType = "saas"`
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeSSH AccessApplicationGetResponseBrowserVNCApplicationType = "ssh"`
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeVNC AccessApplicationGetResponseBrowserVNCApplicationType = "vnc"`
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeAppLauncher AccessApplicationGetResponseBrowserVNCApplicationType = "app_launcher"`
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeWARP AccessApplicationGetResponseBrowserVNCApplicationType = "warp"`
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeBISO AccessApplicationGetResponseBrowserVNCApplicationType = "biso"`
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeBookmark AccessApplicationGetResponseBrowserVNCApplicationType = "bookmark"`
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeDashSSO AccessApplicationGetResponseBrowserVNCApplicationType = "dash_sso"`
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeInfrastructure AccessApplicationGetResponseBrowserVNCApplicationType = "infrastructure"`
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeRDP AccessApplicationGetResponseBrowserVNCApplicationType = "rdp"`
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeMcp AccessApplicationGetResponseBrowserVNCApplicationType = "mcp"`
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeMcpPortal AccessApplicationGetResponseBrowserVNCApplicationType = "mcp_portal"`
- `const AccessApplicationGetResponseBrowserVNCApplicationTypeProxyEndpoint AccessApplicationGetResponseBrowserVNCApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationGetResponseBrowserVNCApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationGetResponseBrowserVNCApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationGetResponseBrowserVNCApplicationDestinationsPublicDestinationType`
- `const AccessApplicationGetResponseBrowserVNCApplicationDestinationsPublicDestinationTypePublic AccessApplicationGetResponseBrowserVNCApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationGetResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationGetResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationGetResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationGetResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationGetResponseBrowserVNCApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationGetResponseBrowserVNCApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationGetResponseBrowserVNCApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationGetResponseBrowserVNCApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationGetResponseBrowserVNCApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationGetResponseBrowserVNCApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationGetResponseAppLauncherApplication struct{…}`
- `Type AccessApplicationGetResponseAppLauncherApplicationType`
The application type.
- `const AccessApplicationGetResponseAppLauncherApplicationTypeSelfHosted AccessApplicationGetResponseAppLauncherApplicationType = "self_hosted"`
- `const AccessApplicationGetResponseAppLauncherApplicationTypeSaaS AccessApplicationGetResponseAppLauncherApplicationType = "saas"`
- `const AccessApplicationGetResponseAppLauncherApplicationTypeSSH AccessApplicationGetResponseAppLauncherApplicationType = "ssh"`
- `const AccessApplicationGetResponseAppLauncherApplicationTypeVNC AccessApplicationGetResponseAppLauncherApplicationType = "vnc"`
- `const AccessApplicationGetResponseAppLauncherApplicationTypeAppLauncher AccessApplicationGetResponseAppLauncherApplicationType = "app_launcher"`
- `const AccessApplicationGetResponseAppLauncherApplicationTypeWARP AccessApplicationGetResponseAppLauncherApplicationType = "warp"`
- `const AccessApplicationGetResponseAppLauncherApplicationTypeBISO AccessApplicationGetResponseAppLauncherApplicationType = "biso"`
- `const AccessApplicationGetResponseAppLauncherApplicationTypeBookmark AccessApplicationGetResponseAppLauncherApplicationType = "bookmark"`
- `const AccessApplicationGetResponseAppLauncherApplicationTypeDashSSO AccessApplicationGetResponseAppLauncherApplicationType = "dash_sso"`
- `const AccessApplicationGetResponseAppLauncherApplicationTypeInfrastructure AccessApplicationGetResponseAppLauncherApplicationType = "infrastructure"`
- `const AccessApplicationGetResponseAppLauncherApplicationTypeRDP AccessApplicationGetResponseAppLauncherApplicationType = "rdp"`
- `const AccessApplicationGetResponseAppLauncherApplicationTypeMcp AccessApplicationGetResponseAppLauncherApplicationType = "mcp"`
- `const AccessApplicationGetResponseAppLauncherApplicationTypeMcpPortal AccessApplicationGetResponseAppLauncherApplicationType = "mcp_portal"`
- `const AccessApplicationGetResponseAppLauncherApplicationTypeProxyEndpoint AccessApplicationGetResponseAppLauncherApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherLogoURL string`
The image URL of the logo shown in the App Launcher header.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `BgColor string`
The background color of the App Launcher page.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `FooterLinks []AccessApplicationGetResponseAppLauncherApplicationFooterLink`
The links in the App Launcher footer.
- `Name string`
The hypertext in the footer link.
- `URL string`
the hyperlink in the footer link.
- `HeaderBgColor string`
The background color of the App Launcher header.
- `LandingPageDesign AccessApplicationGetResponseAppLauncherApplicationLandingPageDesign`
The design of the App Launcher landing page shown to users when they log in.
- `ButtonColor string`
The background color of the log in button on the landing page.
- `ButtonTextColor string`
The color of the text in the log in button on the landing page.
- `ImageURL string`
The URL of the image shown on the landing page.
- `Message string`
The message shown on the landing page.
- `Title string`
The title shown on the landing page.
- `Name string`
The name of the application.
- `Policies []AccessApplicationGetResponseAppLauncherApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipAppLauncherLoginPage bool`
Determines when to skip the App Launcher landing page.
- `type AccessApplicationGetResponseDeviceEnrollmentPermissionsApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Name string`
The name of the application.
- `Policies []AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `type AccessApplicationGetResponseBrowserIsolationPermissionsApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Name string`
The name of the application.
- `Policies []AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `type AccessApplicationGetResponseGatewayIdentityProxyEndpointApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `Name string`
The name of the application.
- `Policies []AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `type AccessApplicationGetResponseBookmarkApplication struct{…}`
- `ID string`
UUID.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `Domain string`
The URL or domain of the bookmark.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `Policies []AccessApplicationGetResponseBookmarkApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `Type ApplicationType`
The application type.
- `type AccessApplicationGetResponseInfrastructureApplication struct{…}`
- `TargetCriteria []AccessApplicationGetResponseInfrastructureApplicationTargetCriterion`
- `Port int64`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `Protocol AccessApplicationGetResponseInfrastructureApplicationTargetCriteriaProtocol`
The communication protocol your application secures.
- `const AccessApplicationGetResponseInfrastructureApplicationTargetCriteriaProtocolSSH AccessApplicationGetResponseInfrastructureApplicationTargetCriteriaProtocol = "SSH"`
- `TargetAttributes map[string, []string]`
Contains a map of target attribute keys to target attribute values.
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AUD string`
Audience tag.
- `Name string`
The name of the application.
- `Policies []AccessApplicationGetResponseInfrastructureApplicationPolicy`
- `ID string`
The UUID of the policy
- `ConnectionRules AccessApplicationGetResponseInfrastructureApplicationPoliciesConnectionRules`
The rules that define how users may connect to the targets secured by your application.
- `SSH AccessApplicationGetResponseInfrastructureApplicationPoliciesConnectionRulesSSH`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `Usernames []string`
Contains the Unix usernames that may be used when connecting over SSH.
- `AllowEmailAlias bool`
Enables using Identity Provider email alias as SSH username.
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Name string`
The name of the Access policy.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UpdatedAt Time`
- `type AccessApplicationGetResponseBrowserRDPApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `TargetCriteria []AccessApplicationGetResponseBrowserRDPApplicationTargetCriterion`
- `Port int64`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `Protocol AccessApplicationGetResponseBrowserRDPApplicationTargetCriteriaProtocol`
The communication protocol your application secures.
- `const AccessApplicationGetResponseBrowserRDPApplicationTargetCriteriaProtocolRDP AccessApplicationGetResponseBrowserRDPApplicationTargetCriteriaProtocol = "RDP"`
- `TargetAttributes map[string, []string]`
Contains a map of target attribute keys to target attribute values.
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationGetResponseBrowserRDPApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationGetResponseBrowserRDPApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationGetResponseBrowserRDPApplicationDestinationsPublicDestinationType`
- `const AccessApplicationGetResponseBrowserRDPApplicationDestinationsPublicDestinationTypePublic AccessApplicationGetResponseBrowserRDPApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationGetResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationGetResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationGetResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationGetResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationGetResponseBrowserRDPApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationGetResponseBrowserRDPApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationGetResponseBrowserRDPApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationGetResponseBrowserRDPApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationGetResponseBrowserRDPApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationGetResponseBrowserRDPApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationGetResponseMcpServerApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationGetResponseMcpServerApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationGetResponseMcpServerApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationGetResponseMcpServerApplicationDestinationsPublicDestinationType`
- `const AccessApplicationGetResponseMcpServerApplicationDestinationsPublicDestinationTypePublic AccessApplicationGetResponseMcpServerApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationGetResponseMcpServerApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationGetResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationGetResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationGetResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationGetResponseMcpServerApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationGetResponseMcpServerApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationGetResponseMcpServerApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `Policies []AccessApplicationGetResponseMcpServerApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationGetResponseMcpServerApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type AccessApplicationGetResponseMcpServerPortalApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationGetResponseMcpServerPortalApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPublicDestinationType`
- `const AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPublicDestinationTypePublic AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationGetResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationGetResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationGetResponseMcpServerPortalApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationGetResponseMcpServerPortalApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationGetResponseMcpServerPortalApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `Policies []AccessApplicationGetResponseMcpServerPortalApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
application, err := client.ZeroTrust.Access.Applications.Get(
context.TODO(),
"023e105f4ecef8ad9ca31a8372d0c353",
zero_trust.AccessApplicationGetParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", application)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}
```
## Add an Access application
`client.ZeroTrust.Access.Applications.New(ctx, params) (*AccessApplicationNewResponse, error)`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps`
Adds a new application to Access.
### Parameters
- `params AccessApplicationNewParams`
- `Domain param.Field[string]`
Body param: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type param.Field[ApplicationType]`
Body param: The application type.
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `AllowAuthenticateViaWARP param.Field[bool]`
Body param: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe param.Field[bool]`
Body param: Enables loading application content in an iFrame.
- `AllowedIdPs param.Field[[]AllowedIdPs]`
Body param: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible param.Field[bool]`
Body param: Displays the application in the App Launcher.
- `AutoRedirectToIdentity param.Field[bool]`
Body param: When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders param.Field[CORSHeaders]`
Body param
- `CustomDenyMessage param.Field[string]`
Body param: The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL param.Field[string]`
Body param: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL param.Field[string]`
Body param: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages param.Field[[]string]`
Body param: The custom pages that will be displayed when applicable for this application
- `Destinations param.Field[[]AccessApplicationNewParamsSelfHostedApplicationDestination]`
Body param: List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `AccessApplicationNewParamsSelfHostedApplicationDestinationsPublicDestination`
- `Type AccessApplicationNewParamsSelfHostedApplicationDestinationsPublicDestinationType`
- `const AccessApplicationNewParamsSelfHostedApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewParamsSelfHostedApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestination`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `AccessApplicationNewParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestination`
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationNewParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationNewParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie param.Field[bool]`
Body param: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute param.Field[bool]`
Body param: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL param.Field[string]`
Body param: The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig param.Field[AccessApplicationNewParamsSelfHostedApplicationMfaConfig]`
Body param: Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name param.Field[string]`
Body param: The name of the application.
- `OAuthConfiguration param.Field[AccessApplicationNewParamsSelfHostedApplicationOAuthConfiguration]`
Body param: **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationNewParamsSelfHostedApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationNewParamsSelfHostedApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass param.Field[bool]`
Body param: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute param.Field[bool]`
Body param: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies param.Field[[]AccessApplicationNewParamsSelfHostedApplicationPolicyUnion]`
Body param: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessApplicationNewParamsSelfHostedApplicationPoliciesAccessAppPolicyLink`
- `ID string`
The UUID of the policy
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `UnionString`
- `AccessApplicationNewParamsSelfHostedApplicationPoliciesObject`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorTotp AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `ReadServiceTokensFromHeader param.Field[string]`
Body param: Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute param.Field[string]`
Body param: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig param.Field[AccessApplicationNewParamsSelfHostedApplicationSCIMConfig]`
Body param: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `Password string`
Password used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationHTTPBasicScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"`
- `User string`
User name used to authenticate with the remote SCIM service.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `Token string`
Token used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"`
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AuthorizationURL string`
URL used to generate the auth code used during token generation.
- `ClientID string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `ClientSecret string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `Scheme SCIMConfigAuthenticationOauth2Scheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"`
- `TokenURL string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `Scopes []string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken`
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication`
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken`
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Create bool`
Whether or not this mapping applies to create (POST) operations.
- `Delete bool`
Whether or not this mapping applies to DELETE operations.
- `Update bool`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"`
- `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"`
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains param.Field[[]SelfHostedDomains]`
Body param: List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect param.Field[bool]`
Body param: Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration param.Field[string]`
Body param: The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial param.Field[bool]`
Body param: Enables automatic authentication through cloudflared.
- `Tags param.Field[[]string]`
Body param: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL param.Field[bool]`
Body param: Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
### Returns
- `type AccessApplicationNewResponse interface{…}`
- `type AccessApplicationNewResponseSelfHostedApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type ApplicationType`
The application type.
- `const ApplicationTypeSelfHosted ApplicationType = "self_hosted"`
- `const ApplicationTypeSaaS ApplicationType = "saas"`
- `const ApplicationTypeSSH ApplicationType = "ssh"`
- `const ApplicationTypeVNC ApplicationType = "vnc"`
- `const ApplicationTypeAppLauncher ApplicationType = "app_launcher"`
- `const ApplicationTypeWARP ApplicationType = "warp"`
- `const ApplicationTypeBISO ApplicationType = "biso"`
- `const ApplicationTypeBookmark ApplicationType = "bookmark"`
- `const ApplicationTypeDashSSO ApplicationType = "dash_sso"`
- `const ApplicationTypeInfrastructure ApplicationType = "infrastructure"`
- `const ApplicationTypeRDP ApplicationType = "rdp"`
- `const ApplicationTypeMcp ApplicationType = "mcp"`
- `const ApplicationTypeMcpPortal ApplicationType = "mcp_portal"`
- `const ApplicationTypeProxyEndpoint ApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `AllowAllHeaders bool`
Allows all HTTP request headers.
- `AllowAllMethods bool`
Allows all HTTP request methods.
- `AllowAllOrigins bool`
Allows all origins.
- `AllowCredentials bool`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `AllowedHeaders []AllowedHeaders`
Allowed HTTP request headers.
- `AllowedMethods []AllowedMethods`
Allowed HTTP request methods.
- `const AllowedMethodsGet AllowedMethods = "GET"`
- `const AllowedMethodsPost AllowedMethods = "POST"`
- `const AllowedMethodsHead AllowedMethods = "HEAD"`
- `const AllowedMethodsPut AllowedMethods = "PUT"`
- `const AllowedMethodsDelete AllowedMethods = "DELETE"`
- `const AllowedMethodsConnect AllowedMethods = "CONNECT"`
- `const AllowedMethodsOptions AllowedMethods = "OPTIONS"`
- `const AllowedMethodsTrace AllowedMethods = "TRACE"`
- `const AllowedMethodsPatch AllowedMethods = "PATCH"`
- `AllowedOrigins []AllowedOrigins`
Allowed origins.
- `MaxAge float64`
The maximum number of seconds the results of a preflight request can be cached.
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationNewResponseSelfHostedApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationNewResponseSelfHostedApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationNewResponseSelfHostedApplicationDestinationsPublicDestinationType`
- `const AccessApplicationNewResponseSelfHostedApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewResponseSelfHostedApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationNewResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationNewResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationNewResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationNewResponseSelfHostedApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationNewResponseSelfHostedApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationNewResponseSelfHostedApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationNewResponseSelfHostedApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationNewResponseSelfHostedApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationNewResponseSelfHostedApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `Password string`
Password used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationHTTPBasicScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"`
- `User string`
User name used to authenticate with the remote SCIM service.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `Token string`
Token used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"`
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AuthorizationURL string`
URL used to generate the auth code used during token generation.
- `ClientID string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `ClientSecret string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `Scheme SCIMConfigAuthenticationOauth2Scheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"`
- `TokenURL string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `Scopes []string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `type AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Create bool`
Whether or not this mapping applies to create (POST) operations.
- `Delete bool`
Whether or not this mapping applies to DELETE operations.
- `Update bool`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"`
- `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"`
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationNewResponseSaaSApplication struct{…}`
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `Policies []AccessApplicationNewResponseSaaSApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SaaSApp AccessApplicationNewResponseSaaSApplicationSaaSApp`
- `type SAMLSaaSApp struct{…}`
- `AuthType SAMLSaaSAppAuthType`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `const SAMLSaaSAppAuthTypeSAML SAMLSaaSAppAuthType = "saml"`
- `const SAMLSaaSAppAuthTypeOIDC SAMLSaaSAppAuthType = "oidc"`
- `ConsumerServiceURL string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `CustomAttributes []SAMLSaaSAppCustomAttribute`
- `FriendlyName string`
The SAML FriendlyName of the attribute.
- `Name string`
The name of the attribute.
- `NameFormat SAMLSaaSAppCustomAttributesNameFormat`
A globally unique name for an identity or service provider.
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `Required bool`
If the attribute is required when building a SAML assertion.
- `Source SAMLSaaSAppCustomAttributesSource`
- `Name string`
The name of the IdP attribute.
- `NameByIdP []SAMLSaaSAppCustomAttributesSourceNameByIdP`
A mapping from IdP ID to attribute name.
- `IdPID string`
The UID of the IdP.
- `SourceName string`
The name of the IdP provided attribute.
- `DefaultRelayState string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `IdPEntityID string`
The unique identifier for your SaaS application.
- `NameIDFormat SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"`
- `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"`
- `NameIDTransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `PublicKey string`
The Access public certificate that will be used to verify your identity.
- `SAMLAttributeTransformJsonata string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `SPEntityID string`
A globally unique name for an identity or service provider.
- `SSOEndpoint string`
The endpoint where your SaaS application will send login requests.
- `type OIDCSaaSApp struct{…}`
- `AccessTokenLifetime string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `AllowPKCEWithoutClientSecret bool`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `AppLauncherURL string`
The URL where this applications tile redirects users
- `AuthType OIDCSaaSAppAuthType`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `const OIDCSaaSAppAuthTypeSAML OIDCSaaSAppAuthType = "saml"`
- `const OIDCSaaSAppAuthTypeOIDC OIDCSaaSAppAuthType = "oidc"`
- `ClientID string`
The application client id
- `ClientSecret string`
The application client secret, only returned on POST request.
- `CustomClaims []OIDCSaaSAppCustomClaim`
- `Name string`
The name of the claim.
- `Required bool`
If the claim is required when building an OIDC token.
- `Scope OIDCSaaSAppCustomClaimsScope`
The scope of the claim.
- `const OIDCSaaSAppCustomClaimsScopeGroups OIDCSaaSAppCustomClaimsScope = "groups"`
- `const OIDCSaaSAppCustomClaimsScopeProfile OIDCSaaSAppCustomClaimsScope = "profile"`
- `const OIDCSaaSAppCustomClaimsScopeEmail OIDCSaaSAppCustomClaimsScope = "email"`
- `const OIDCSaaSAppCustomClaimsScopeOpenid OIDCSaaSAppCustomClaimsScope = "openid"`
- `Source OIDCSaaSAppCustomClaimsSource`
- `Name string`
The name of the IdP claim.
- `NameByIdP map[string, string]`
A mapping from IdP ID to claim name.
- `GrantTypes []OIDCSaaSAppGrantType`
The OIDC flows supported by this application
- `const OIDCSaaSAppGrantTypeAuthorizationCode OIDCSaaSAppGrantType = "authorization_code"`
- `const OIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE OIDCSaaSAppGrantType = "authorization_code_with_pkce"`
- `const OIDCSaaSAppGrantTypeRefreshTokens OIDCSaaSAppGrantType = "refresh_tokens"`
- `const OIDCSaaSAppGrantTypeHybrid OIDCSaaSAppGrantType = "hybrid"`
- `const OIDCSaaSAppGrantTypeImplicit OIDCSaaSAppGrantType = "implicit"`
- `GroupFilterRegex string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `HybridAndImplicitOptions OIDCSaaSAppHybridAndImplicitOptions`
- `ReturnAccessTokenFromAuthorizationEndpoint bool`
If an Access Token should be returned from the OIDC Authorization endpoint
- `ReturnIDTokenFromAuthorizationEndpoint bool`
If an ID Token should be returned from the OIDC Authorization endpoint
- `PublicKey string`
The Access public certificate that will be used to verify your identity.
- `RedirectURIs []string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `RefreshTokenOptions OIDCSaaSAppRefreshTokenOptions`
- `Lifetime string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `Scopes []OIDCSaaSAppScope`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `const OIDCSaaSAppScopeOpenid OIDCSaaSAppScope = "openid"`
- `const OIDCSaaSAppScopeGroups OIDCSaaSAppScope = "groups"`
- `const OIDCSaaSAppScopeEmail OIDCSaaSAppScope = "email"`
- `const OIDCSaaSAppScopeProfile OIDCSaaSAppScope = "profile"`
- `SCIMConfig AccessApplicationNewResponseSaaSApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `Type ApplicationType`
The application type.
- `type AccessApplicationNewResponseBrowserSSHApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type AccessApplicationNewResponseBrowserSSHApplicationType`
The application type.
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeSelfHosted AccessApplicationNewResponseBrowserSSHApplicationType = "self_hosted"`
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeSaaS AccessApplicationNewResponseBrowserSSHApplicationType = "saas"`
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeSSH AccessApplicationNewResponseBrowserSSHApplicationType = "ssh"`
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeVNC AccessApplicationNewResponseBrowserSSHApplicationType = "vnc"`
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeAppLauncher AccessApplicationNewResponseBrowserSSHApplicationType = "app_launcher"`
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeWARP AccessApplicationNewResponseBrowserSSHApplicationType = "warp"`
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeBISO AccessApplicationNewResponseBrowserSSHApplicationType = "biso"`
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeBookmark AccessApplicationNewResponseBrowserSSHApplicationType = "bookmark"`
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeDashSSO AccessApplicationNewResponseBrowserSSHApplicationType = "dash_sso"`
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeInfrastructure AccessApplicationNewResponseBrowserSSHApplicationType = "infrastructure"`
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeRDP AccessApplicationNewResponseBrowserSSHApplicationType = "rdp"`
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeMcp AccessApplicationNewResponseBrowserSSHApplicationType = "mcp"`
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeMcpPortal AccessApplicationNewResponseBrowserSSHApplicationType = "mcp_portal"`
- `const AccessApplicationNewResponseBrowserSSHApplicationTypeProxyEndpoint AccessApplicationNewResponseBrowserSSHApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationNewResponseBrowserSSHApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationNewResponseBrowserSSHApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationNewResponseBrowserSSHApplicationDestinationsPublicDestinationType`
- `const AccessApplicationNewResponseBrowserSSHApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewResponseBrowserSSHApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationNewResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationNewResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationNewResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationNewResponseBrowserSSHApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationNewResponseBrowserSSHApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationNewResponseBrowserSSHApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationNewResponseBrowserSSHApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationNewResponseBrowserSSHApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationNewResponseBrowserSSHApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationNewResponseBrowserVNCApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type AccessApplicationNewResponseBrowserVNCApplicationType`
The application type.
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeSelfHosted AccessApplicationNewResponseBrowserVNCApplicationType = "self_hosted"`
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeSaaS AccessApplicationNewResponseBrowserVNCApplicationType = "saas"`
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeSSH AccessApplicationNewResponseBrowserVNCApplicationType = "ssh"`
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeVNC AccessApplicationNewResponseBrowserVNCApplicationType = "vnc"`
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeAppLauncher AccessApplicationNewResponseBrowserVNCApplicationType = "app_launcher"`
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeWARP AccessApplicationNewResponseBrowserVNCApplicationType = "warp"`
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeBISO AccessApplicationNewResponseBrowserVNCApplicationType = "biso"`
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeBookmark AccessApplicationNewResponseBrowserVNCApplicationType = "bookmark"`
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeDashSSO AccessApplicationNewResponseBrowserVNCApplicationType = "dash_sso"`
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeInfrastructure AccessApplicationNewResponseBrowserVNCApplicationType = "infrastructure"`
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeRDP AccessApplicationNewResponseBrowserVNCApplicationType = "rdp"`
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeMcp AccessApplicationNewResponseBrowserVNCApplicationType = "mcp"`
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeMcpPortal AccessApplicationNewResponseBrowserVNCApplicationType = "mcp_portal"`
- `const AccessApplicationNewResponseBrowserVNCApplicationTypeProxyEndpoint AccessApplicationNewResponseBrowserVNCApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationNewResponseBrowserVNCApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationNewResponseBrowserVNCApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationNewResponseBrowserVNCApplicationDestinationsPublicDestinationType`
- `const AccessApplicationNewResponseBrowserVNCApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewResponseBrowserVNCApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationNewResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationNewResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationNewResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationNewResponseBrowserVNCApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationNewResponseBrowserVNCApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationNewResponseBrowserVNCApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationNewResponseBrowserVNCApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationNewResponseBrowserVNCApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationNewResponseBrowserVNCApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationNewResponseAppLauncherApplication struct{…}`
- `Type AccessApplicationNewResponseAppLauncherApplicationType`
The application type.
- `const AccessApplicationNewResponseAppLauncherApplicationTypeSelfHosted AccessApplicationNewResponseAppLauncherApplicationType = "self_hosted"`
- `const AccessApplicationNewResponseAppLauncherApplicationTypeSaaS AccessApplicationNewResponseAppLauncherApplicationType = "saas"`
- `const AccessApplicationNewResponseAppLauncherApplicationTypeSSH AccessApplicationNewResponseAppLauncherApplicationType = "ssh"`
- `const AccessApplicationNewResponseAppLauncherApplicationTypeVNC AccessApplicationNewResponseAppLauncherApplicationType = "vnc"`
- `const AccessApplicationNewResponseAppLauncherApplicationTypeAppLauncher AccessApplicationNewResponseAppLauncherApplicationType = "app_launcher"`
- `const AccessApplicationNewResponseAppLauncherApplicationTypeWARP AccessApplicationNewResponseAppLauncherApplicationType = "warp"`
- `const AccessApplicationNewResponseAppLauncherApplicationTypeBISO AccessApplicationNewResponseAppLauncherApplicationType = "biso"`
- `const AccessApplicationNewResponseAppLauncherApplicationTypeBookmark AccessApplicationNewResponseAppLauncherApplicationType = "bookmark"`
- `const AccessApplicationNewResponseAppLauncherApplicationTypeDashSSO AccessApplicationNewResponseAppLauncherApplicationType = "dash_sso"`
- `const AccessApplicationNewResponseAppLauncherApplicationTypeInfrastructure AccessApplicationNewResponseAppLauncherApplicationType = "infrastructure"`
- `const AccessApplicationNewResponseAppLauncherApplicationTypeRDP AccessApplicationNewResponseAppLauncherApplicationType = "rdp"`
- `const AccessApplicationNewResponseAppLauncherApplicationTypeMcp AccessApplicationNewResponseAppLauncherApplicationType = "mcp"`
- `const AccessApplicationNewResponseAppLauncherApplicationTypeMcpPortal AccessApplicationNewResponseAppLauncherApplicationType = "mcp_portal"`
- `const AccessApplicationNewResponseAppLauncherApplicationTypeProxyEndpoint AccessApplicationNewResponseAppLauncherApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherLogoURL string`
The image URL of the logo shown in the App Launcher header.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `BgColor string`
The background color of the App Launcher page.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `FooterLinks []AccessApplicationNewResponseAppLauncherApplicationFooterLink`
The links in the App Launcher footer.
- `Name string`
The hypertext in the footer link.
- `URL string`
the hyperlink in the footer link.
- `HeaderBgColor string`
The background color of the App Launcher header.
- `LandingPageDesign AccessApplicationNewResponseAppLauncherApplicationLandingPageDesign`
The design of the App Launcher landing page shown to users when they log in.
- `ButtonColor string`
The background color of the log in button on the landing page.
- `ButtonTextColor string`
The color of the text in the log in button on the landing page.
- `ImageURL string`
The URL of the image shown on the landing page.
- `Message string`
The message shown on the landing page.
- `Title string`
The title shown on the landing page.
- `Name string`
The name of the application.
- `Policies []AccessApplicationNewResponseAppLauncherApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipAppLauncherLoginPage bool`
Determines when to skip the App Launcher landing page.
- `type AccessApplicationNewResponseDeviceEnrollmentPermissionsApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Name string`
The name of the application.
- `Policies []AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `type AccessApplicationNewResponseBrowserIsolationPermissionsApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Name string`
The name of the application.
- `Policies []AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `type AccessApplicationNewResponseGatewayIdentityProxyEndpointApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `Name string`
The name of the application.
- `Policies []AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `type AccessApplicationNewResponseBookmarkApplication struct{…}`
- `ID string`
UUID.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `Domain string`
The URL or domain of the bookmark.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `Policies []AccessApplicationNewResponseBookmarkApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `Type ApplicationType`
The application type.
- `type AccessApplicationNewResponseInfrastructureApplication struct{…}`
- `TargetCriteria []AccessApplicationNewResponseInfrastructureApplicationTargetCriterion`
- `Port int64`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `Protocol AccessApplicationNewResponseInfrastructureApplicationTargetCriteriaProtocol`
The communication protocol your application secures.
- `const AccessApplicationNewResponseInfrastructureApplicationTargetCriteriaProtocolSSH AccessApplicationNewResponseInfrastructureApplicationTargetCriteriaProtocol = "SSH"`
- `TargetAttributes map[string, []string]`
Contains a map of target attribute keys to target attribute values.
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AUD string`
Audience tag.
- `Name string`
The name of the application.
- `Policies []AccessApplicationNewResponseInfrastructureApplicationPolicy`
- `ID string`
The UUID of the policy
- `ConnectionRules AccessApplicationNewResponseInfrastructureApplicationPoliciesConnectionRules`
The rules that define how users may connect to the targets secured by your application.
- `SSH AccessApplicationNewResponseInfrastructureApplicationPoliciesConnectionRulesSSH`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `Usernames []string`
Contains the Unix usernames that may be used when connecting over SSH.
- `AllowEmailAlias bool`
Enables using Identity Provider email alias as SSH username.
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Name string`
The name of the Access policy.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UpdatedAt Time`
- `type AccessApplicationNewResponseBrowserRDPApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `TargetCriteria []AccessApplicationNewResponseBrowserRDPApplicationTargetCriterion`
- `Port int64`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `Protocol AccessApplicationNewResponseBrowserRDPApplicationTargetCriteriaProtocol`
The communication protocol your application secures.
- `const AccessApplicationNewResponseBrowserRDPApplicationTargetCriteriaProtocolRDP AccessApplicationNewResponseBrowserRDPApplicationTargetCriteriaProtocol = "RDP"`
- `TargetAttributes map[string, []string]`
Contains a map of target attribute keys to target attribute values.
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationNewResponseBrowserRDPApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationNewResponseBrowserRDPApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationNewResponseBrowserRDPApplicationDestinationsPublicDestinationType`
- `const AccessApplicationNewResponseBrowserRDPApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewResponseBrowserRDPApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationNewResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationNewResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationNewResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationNewResponseBrowserRDPApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationNewResponseBrowserRDPApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationNewResponseBrowserRDPApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationNewResponseBrowserRDPApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationNewResponseBrowserRDPApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationNewResponseBrowserRDPApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationNewResponseMcpServerApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationNewResponseMcpServerApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationNewResponseMcpServerApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationNewResponseMcpServerApplicationDestinationsPublicDestinationType`
- `const AccessApplicationNewResponseMcpServerApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewResponseMcpServerApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationNewResponseMcpServerApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationNewResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationNewResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationNewResponseMcpServerApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationNewResponseMcpServerApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationNewResponseMcpServerApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `Policies []AccessApplicationNewResponseMcpServerApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationNewResponseMcpServerApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type AccessApplicationNewResponseMcpServerPortalApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationNewResponseMcpServerPortalApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPublicDestinationType`
- `const AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPublicDestinationTypePublic AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationNewResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationNewResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationNewResponseMcpServerPortalApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationNewResponseMcpServerPortalApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationNewResponseMcpServerPortalApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `Policies []AccessApplicationNewResponseMcpServerPortalApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
application, err := client.ZeroTrust.Access.Applications.New(context.TODO(), zero_trust.AccessApplicationNewParams{
Body: zero_trust.AccessApplicationNewParamsBodySelfHostedApplication{
Domain: cloudflare.F("test.example.com/admin"),
Type: cloudflare.F(zero_trust.ApplicationTypeSelfHosted),
},
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", application)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}
```
## Update an Access application
`client.ZeroTrust.Access.Applications.Update(ctx, appID, params) (*AccessApplicationUpdateResponse, error)`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}`
Updates an Access application.
### Parameters
- `AppID AppID`
Identifier.
- `params AccessApplicationUpdateParams`
- `Domain param.Field[string]`
Body param: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type param.Field[ApplicationType]`
Body param: The application type.
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `AllowAuthenticateViaWARP param.Field[bool]`
Body param: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe param.Field[bool]`
Body param: Enables loading application content in an iFrame.
- `AllowedIdPs param.Field[[]AllowedIdPs]`
Body param: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible param.Field[bool]`
Body param: Displays the application in the App Launcher.
- `AutoRedirectToIdentity param.Field[bool]`
Body param: When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders param.Field[CORSHeaders]`
Body param
- `CustomDenyMessage param.Field[string]`
Body param: The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL param.Field[string]`
Body param: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL param.Field[string]`
Body param: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages param.Field[[]string]`
Body param: The custom pages that will be displayed when applicable for this application
- `Destinations param.Field[[]AccessApplicationUpdateParamsSelfHostedApplicationDestination]`
Body param: List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPublicDestination`
- `Type AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPublicDestinationType`
- `const AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestination`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateParamsSelfHostedApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `AccessApplicationUpdateParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestination`
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationUpdateParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationUpdateParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie param.Field[bool]`
Body param: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute param.Field[bool]`
Body param: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL param.Field[string]`
Body param: The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig param.Field[AccessApplicationUpdateParamsSelfHostedApplicationMfaConfig]`
Body param: Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name param.Field[string]`
Body param: The name of the application.
- `OAuthConfiguration param.Field[AccessApplicationUpdateParamsSelfHostedApplicationOAuthConfiguration]`
Body param: **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationUpdateParamsSelfHostedApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationUpdateParamsSelfHostedApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass param.Field[bool]`
Body param: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute param.Field[bool]`
Body param: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies param.Field[[]AccessApplicationUpdateParamsSelfHostedApplicationPolicyUnion]`
Body param: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessApplicationUpdateParamsSelfHostedApplicationPoliciesAccessAppPolicyLink`
- `ID string`
The UUID of the policy
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `UnionString`
- `AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObject`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `ReadServiceTokensFromHeader param.Field[string]`
Body param: Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute param.Field[string]`
Body param: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig param.Field[AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfig]`
Body param: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `Password string`
Password used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationHTTPBasicScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"`
- `User string`
User name used to authenticate with the remote SCIM service.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `Token string`
Token used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"`
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AuthorizationURL string`
URL used to generate the auth code used during token generation.
- `ClientID string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `ClientSecret string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `Scheme SCIMConfigAuthenticationOauth2Scheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"`
- `TokenURL string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `Scopes []string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken`
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication`
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken`
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Create bool`
Whether or not this mapping applies to create (POST) operations.
- `Delete bool`
Whether or not this mapping applies to DELETE operations.
- `Update bool`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"`
- `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"`
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains param.Field[[]SelfHostedDomains]`
Body param: List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect param.Field[bool]`
Body param: Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration param.Field[string]`
Body param: The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial param.Field[bool]`
Body param: Enables automatic authentication through cloudflared.
- `Tags param.Field[[]string]`
Body param: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL param.Field[bool]`
Body param: Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
### Returns
- `type AccessApplicationUpdateResponse interface{…}`
- `type AccessApplicationUpdateResponseSelfHostedApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type ApplicationType`
The application type.
- `const ApplicationTypeSelfHosted ApplicationType = "self_hosted"`
- `const ApplicationTypeSaaS ApplicationType = "saas"`
- `const ApplicationTypeSSH ApplicationType = "ssh"`
- `const ApplicationTypeVNC ApplicationType = "vnc"`
- `const ApplicationTypeAppLauncher ApplicationType = "app_launcher"`
- `const ApplicationTypeWARP ApplicationType = "warp"`
- `const ApplicationTypeBISO ApplicationType = "biso"`
- `const ApplicationTypeBookmark ApplicationType = "bookmark"`
- `const ApplicationTypeDashSSO ApplicationType = "dash_sso"`
- `const ApplicationTypeInfrastructure ApplicationType = "infrastructure"`
- `const ApplicationTypeRDP ApplicationType = "rdp"`
- `const ApplicationTypeMcp ApplicationType = "mcp"`
- `const ApplicationTypeMcpPortal ApplicationType = "mcp_portal"`
- `const ApplicationTypeProxyEndpoint ApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `AllowAllHeaders bool`
Allows all HTTP request headers.
- `AllowAllMethods bool`
Allows all HTTP request methods.
- `AllowAllOrigins bool`
Allows all origins.
- `AllowCredentials bool`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `AllowedHeaders []AllowedHeaders`
Allowed HTTP request headers.
- `AllowedMethods []AllowedMethods`
Allowed HTTP request methods.
- `const AllowedMethodsGet AllowedMethods = "GET"`
- `const AllowedMethodsPost AllowedMethods = "POST"`
- `const AllowedMethodsHead AllowedMethods = "HEAD"`
- `const AllowedMethodsPut AllowedMethods = "PUT"`
- `const AllowedMethodsDelete AllowedMethods = "DELETE"`
- `const AllowedMethodsConnect AllowedMethods = "CONNECT"`
- `const AllowedMethodsOptions AllowedMethods = "OPTIONS"`
- `const AllowedMethodsTrace AllowedMethods = "TRACE"`
- `const AllowedMethodsPatch AllowedMethods = "PATCH"`
- `AllowedOrigins []AllowedOrigins`
Allowed origins.
- `MaxAge float64`
The maximum number of seconds the results of a preflight request can be cached.
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationUpdateResponseSelfHostedApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPublicDestinationType`
- `const AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateResponseSelfHostedApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationUpdateResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationUpdateResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationUpdateResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationUpdateResponseSelfHostedApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationUpdateResponseSelfHostedApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationUpdateResponseSelfHostedApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationUpdateResponseSelfHostedApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationUpdateResponseSelfHostedApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `Password string`
Password used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationHTTPBasicScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"`
- `User string`
User name used to authenticate with the remote SCIM service.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `Token string`
Token used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"`
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AuthorizationURL string`
URL used to generate the auth code used during token generation.
- `ClientID string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `ClientSecret string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `Scheme SCIMConfigAuthenticationOauth2Scheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"`
- `TokenURL string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `Scopes []string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `type AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Create bool`
Whether or not this mapping applies to create (POST) operations.
- `Delete bool`
Whether or not this mapping applies to DELETE operations.
- `Update bool`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"`
- `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"`
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationUpdateResponseSaaSApplication struct{…}`
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `Policies []AccessApplicationUpdateResponseSaaSApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseSaaSApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SaaSApp AccessApplicationUpdateResponseSaaSApplicationSaaSApp`
- `type SAMLSaaSApp struct{…}`
- `AuthType SAMLSaaSAppAuthType`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `const SAMLSaaSAppAuthTypeSAML SAMLSaaSAppAuthType = "saml"`
- `const SAMLSaaSAppAuthTypeOIDC SAMLSaaSAppAuthType = "oidc"`
- `ConsumerServiceURL string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `CustomAttributes []SAMLSaaSAppCustomAttribute`
- `FriendlyName string`
The SAML FriendlyName of the attribute.
- `Name string`
The name of the attribute.
- `NameFormat SAMLSaaSAppCustomAttributesNameFormat`
A globally unique name for an identity or service provider.
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `Required bool`
If the attribute is required when building a SAML assertion.
- `Source SAMLSaaSAppCustomAttributesSource`
- `Name string`
The name of the IdP attribute.
- `NameByIdP []SAMLSaaSAppCustomAttributesSourceNameByIdP`
A mapping from IdP ID to attribute name.
- `IdPID string`
The UID of the IdP.
- `SourceName string`
The name of the IdP provided attribute.
- `DefaultRelayState string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `IdPEntityID string`
The unique identifier for your SaaS application.
- `NameIDFormat SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"`
- `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"`
- `NameIDTransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `PublicKey string`
The Access public certificate that will be used to verify your identity.
- `SAMLAttributeTransformJsonata string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `SPEntityID string`
A globally unique name for an identity or service provider.
- `SSOEndpoint string`
The endpoint where your SaaS application will send login requests.
- `type OIDCSaaSApp struct{…}`
- `AccessTokenLifetime string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `AllowPKCEWithoutClientSecret bool`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `AppLauncherURL string`
The URL where this applications tile redirects users
- `AuthType OIDCSaaSAppAuthType`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `const OIDCSaaSAppAuthTypeSAML OIDCSaaSAppAuthType = "saml"`
- `const OIDCSaaSAppAuthTypeOIDC OIDCSaaSAppAuthType = "oidc"`
- `ClientID string`
The application client id
- `ClientSecret string`
The application client secret, only returned on POST request.
- `CustomClaims []OIDCSaaSAppCustomClaim`
- `Name string`
The name of the claim.
- `Required bool`
If the claim is required when building an OIDC token.
- `Scope OIDCSaaSAppCustomClaimsScope`
The scope of the claim.
- `const OIDCSaaSAppCustomClaimsScopeGroups OIDCSaaSAppCustomClaimsScope = "groups"`
- `const OIDCSaaSAppCustomClaimsScopeProfile OIDCSaaSAppCustomClaimsScope = "profile"`
- `const OIDCSaaSAppCustomClaimsScopeEmail OIDCSaaSAppCustomClaimsScope = "email"`
- `const OIDCSaaSAppCustomClaimsScopeOpenid OIDCSaaSAppCustomClaimsScope = "openid"`
- `Source OIDCSaaSAppCustomClaimsSource`
- `Name string`
The name of the IdP claim.
- `NameByIdP map[string, string]`
A mapping from IdP ID to claim name.
- `GrantTypes []OIDCSaaSAppGrantType`
The OIDC flows supported by this application
- `const OIDCSaaSAppGrantTypeAuthorizationCode OIDCSaaSAppGrantType = "authorization_code"`
- `const OIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE OIDCSaaSAppGrantType = "authorization_code_with_pkce"`
- `const OIDCSaaSAppGrantTypeRefreshTokens OIDCSaaSAppGrantType = "refresh_tokens"`
- `const OIDCSaaSAppGrantTypeHybrid OIDCSaaSAppGrantType = "hybrid"`
- `const OIDCSaaSAppGrantTypeImplicit OIDCSaaSAppGrantType = "implicit"`
- `GroupFilterRegex string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `HybridAndImplicitOptions OIDCSaaSAppHybridAndImplicitOptions`
- `ReturnAccessTokenFromAuthorizationEndpoint bool`
If an Access Token should be returned from the OIDC Authorization endpoint
- `ReturnIDTokenFromAuthorizationEndpoint bool`
If an ID Token should be returned from the OIDC Authorization endpoint
- `PublicKey string`
The Access public certificate that will be used to verify your identity.
- `RedirectURIs []string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `RefreshTokenOptions OIDCSaaSAppRefreshTokenOptions`
- `Lifetime string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `Scopes []OIDCSaaSAppScope`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `const OIDCSaaSAppScopeOpenid OIDCSaaSAppScope = "openid"`
- `const OIDCSaaSAppScopeGroups OIDCSaaSAppScope = "groups"`
- `const OIDCSaaSAppScopeEmail OIDCSaaSAppScope = "email"`
- `const OIDCSaaSAppScopeProfile OIDCSaaSAppScope = "profile"`
- `SCIMConfig AccessApplicationUpdateResponseSaaSApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `Type ApplicationType`
The application type.
- `type AccessApplicationUpdateResponseBrowserSSHApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type AccessApplicationUpdateResponseBrowserSSHApplicationType`
The application type.
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeSelfHosted AccessApplicationUpdateResponseBrowserSSHApplicationType = "self_hosted"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeSaaS AccessApplicationUpdateResponseBrowserSSHApplicationType = "saas"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeSSH AccessApplicationUpdateResponseBrowserSSHApplicationType = "ssh"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeVNC AccessApplicationUpdateResponseBrowserSSHApplicationType = "vnc"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeAppLauncher AccessApplicationUpdateResponseBrowserSSHApplicationType = "app_launcher"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeWARP AccessApplicationUpdateResponseBrowserSSHApplicationType = "warp"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeBISO AccessApplicationUpdateResponseBrowserSSHApplicationType = "biso"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeBookmark AccessApplicationUpdateResponseBrowserSSHApplicationType = "bookmark"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeDashSSO AccessApplicationUpdateResponseBrowserSSHApplicationType = "dash_sso"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeInfrastructure AccessApplicationUpdateResponseBrowserSSHApplicationType = "infrastructure"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeRDP AccessApplicationUpdateResponseBrowserSSHApplicationType = "rdp"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeMcp AccessApplicationUpdateResponseBrowserSSHApplicationType = "mcp"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeMcpPortal AccessApplicationUpdateResponseBrowserSSHApplicationType = "mcp_portal"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationTypeProxyEndpoint AccessApplicationUpdateResponseBrowserSSHApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationUpdateResponseBrowserSSHApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPublicDestinationType`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserSSHApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationUpdateResponseBrowserSSHApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationUpdateResponseBrowserSSHApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationUpdateResponseBrowserSSHApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationUpdateResponseBrowserSSHApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationUpdateResponseBrowserVNCApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Type AccessApplicationUpdateResponseBrowserVNCApplicationType`
The application type.
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeSelfHosted AccessApplicationUpdateResponseBrowserVNCApplicationType = "self_hosted"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeSaaS AccessApplicationUpdateResponseBrowserVNCApplicationType = "saas"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeSSH AccessApplicationUpdateResponseBrowserVNCApplicationType = "ssh"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeVNC AccessApplicationUpdateResponseBrowserVNCApplicationType = "vnc"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeAppLauncher AccessApplicationUpdateResponseBrowserVNCApplicationType = "app_launcher"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeWARP AccessApplicationUpdateResponseBrowserVNCApplicationType = "warp"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeBISO AccessApplicationUpdateResponseBrowserVNCApplicationType = "biso"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeBookmark AccessApplicationUpdateResponseBrowserVNCApplicationType = "bookmark"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeDashSSO AccessApplicationUpdateResponseBrowserVNCApplicationType = "dash_sso"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeInfrastructure AccessApplicationUpdateResponseBrowserVNCApplicationType = "infrastructure"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeRDP AccessApplicationUpdateResponseBrowserVNCApplicationType = "rdp"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeMcp AccessApplicationUpdateResponseBrowserVNCApplicationType = "mcp"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeMcpPortal AccessApplicationUpdateResponseBrowserVNCApplicationType = "mcp_portal"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationTypeProxyEndpoint AccessApplicationUpdateResponseBrowserVNCApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationUpdateResponseBrowserVNCApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPublicDestinationType`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserVNCApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationUpdateResponseBrowserVNCApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationUpdateResponseBrowserVNCApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationUpdateResponseBrowserVNCApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationUpdateResponseBrowserVNCApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationUpdateResponseAppLauncherApplication struct{…}`
- `Type AccessApplicationUpdateResponseAppLauncherApplicationType`
The application type.
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeSelfHosted AccessApplicationUpdateResponseAppLauncherApplicationType = "self_hosted"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeSaaS AccessApplicationUpdateResponseAppLauncherApplicationType = "saas"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeSSH AccessApplicationUpdateResponseAppLauncherApplicationType = "ssh"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeVNC AccessApplicationUpdateResponseAppLauncherApplicationType = "vnc"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeAppLauncher AccessApplicationUpdateResponseAppLauncherApplicationType = "app_launcher"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeWARP AccessApplicationUpdateResponseAppLauncherApplicationType = "warp"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeBISO AccessApplicationUpdateResponseAppLauncherApplicationType = "biso"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeBookmark AccessApplicationUpdateResponseAppLauncherApplicationType = "bookmark"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeDashSSO AccessApplicationUpdateResponseAppLauncherApplicationType = "dash_sso"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeInfrastructure AccessApplicationUpdateResponseAppLauncherApplicationType = "infrastructure"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeRDP AccessApplicationUpdateResponseAppLauncherApplicationType = "rdp"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeMcp AccessApplicationUpdateResponseAppLauncherApplicationType = "mcp"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeMcpPortal AccessApplicationUpdateResponseAppLauncherApplicationType = "mcp_portal"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationTypeProxyEndpoint AccessApplicationUpdateResponseAppLauncherApplicationType = "proxy_endpoint"`
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherLogoURL string`
The image URL of the logo shown in the App Launcher header.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `BgColor string`
The background color of the App Launcher page.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `FooterLinks []AccessApplicationUpdateResponseAppLauncherApplicationFooterLink`
The links in the App Launcher footer.
- `Name string`
The hypertext in the footer link.
- `URL string`
the hyperlink in the footer link.
- `HeaderBgColor string`
The background color of the App Launcher header.
- `LandingPageDesign AccessApplicationUpdateResponseAppLauncherApplicationLandingPageDesign`
The design of the App Launcher landing page shown to users when they log in.
- `ButtonColor string`
The background color of the log in button on the landing page.
- `ButtonTextColor string`
The color of the text in the log in button on the landing page.
- `ImageURL string`
The URL of the image shown on the landing page.
- `Message string`
The message shown on the landing page.
- `Title string`
The title shown on the landing page.
- `Name string`
The name of the application.
- `Policies []AccessApplicationUpdateResponseAppLauncherApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseAppLauncherApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipAppLauncherLoginPage bool`
Determines when to skip the App Launcher landing page.
- `type AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Name string`
The name of the application.
- `Policies []AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `type AccessApplicationUpdateResponseBrowserIsolationPermissionsApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `Name string`
The name of the application.
- `Policies []AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `type AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Domain string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `Name string`
The name of the application.
- `Policies []AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `type AccessApplicationUpdateResponseBookmarkApplication struct{…}`
- `ID string`
UUID.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `Domain string`
The URL or domain of the bookmark.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `Policies []AccessApplicationUpdateResponseBookmarkApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseBookmarkApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `Type ApplicationType`
The application type.
- `type AccessApplicationUpdateResponseInfrastructureApplication struct{…}`
- `TargetCriteria []AccessApplicationUpdateResponseInfrastructureApplicationTargetCriterion`
- `Port int64`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `Protocol AccessApplicationUpdateResponseInfrastructureApplicationTargetCriteriaProtocol`
The communication protocol your application secures.
- `const AccessApplicationUpdateResponseInfrastructureApplicationTargetCriteriaProtocolSSH AccessApplicationUpdateResponseInfrastructureApplicationTargetCriteriaProtocol = "SSH"`
- `TargetAttributes map[string, []string]`
Contains a map of target attribute keys to target attribute values.
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AUD string`
Audience tag.
- `Name string`
The name of the application.
- `Policies []AccessApplicationUpdateResponseInfrastructureApplicationPolicy`
- `ID string`
The UUID of the policy
- `ConnectionRules AccessApplicationUpdateResponseInfrastructureApplicationPoliciesConnectionRules`
The rules that define how users may connect to the targets secured by your application.
- `SSH AccessApplicationUpdateResponseInfrastructureApplicationPoliciesConnectionRulesSSH`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `Usernames []string`
Contains the Unix usernames that may be used when connecting over SSH.
- `AllowEmailAlias bool`
Enables using Identity Provider email alias as SSH username.
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Name string`
The name of the Access policy.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UpdatedAt Time`
- `type AccessApplicationUpdateResponseBrowserRDPApplication struct{…}`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `TargetCriteria []AccessApplicationUpdateResponseBrowserRDPApplicationTargetCriterion`
- `Port int64`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `Protocol AccessApplicationUpdateResponseBrowserRDPApplicationTargetCriteriaProtocol`
The communication protocol your application secures.
- `const AccessApplicationUpdateResponseBrowserRDPApplicationTargetCriteriaProtocolRDP AccessApplicationUpdateResponseBrowserRDPApplicationTargetCriteriaProtocol = "RDP"`
- `TargetAttributes map[string, []string]`
Contains a map of target attribute keys to target attribute values.
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders CORSHeaders`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationUpdateResponseBrowserRDPApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPublicDestinationType`
- `const AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `MfaConfig AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserRDPApplicationMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationUpdateResponseBrowserRDPApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationUpdateResponseBrowserRDPApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationUpdateResponseBrowserRDPApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `PathCookieAttribute bool`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `Policies []AccessApplicationUpdateResponseBrowserRDPApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ReadServiceTokensFromHeader string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SelfHostedDomains []SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `type AccessApplicationUpdateResponseMcpServerApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationUpdateResponseMcpServerApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationUpdateResponseMcpServerApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationUpdateResponseMcpServerApplicationDestinationsPublicDestinationType`
- `const AccessApplicationUpdateResponseMcpServerApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateResponseMcpServerApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateResponseMcpServerApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationUpdateResponseMcpServerApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationUpdateResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationUpdateResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateResponseMcpServerApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationUpdateResponseMcpServerApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationUpdateResponseMcpServerApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationUpdateResponseMcpServerApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `Policies []AccessApplicationUpdateResponseMcpServerApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseMcpServerApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationUpdateResponseMcpServerApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type AccessApplicationUpdateResponseMcpServerPortalApplication struct{…}`
- `Type ApplicationType`
The application type.
- `ID string`
UUID.
- `AllowAuthenticateViaWARP bool`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `CustomNonIdentityDenyURL string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `CustomPages []string`
The custom pages that will be displayed when applicable for this application
- `Destinations []AccessApplicationUpdateResponseMcpServerPortalApplicationDestination`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `type AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPublicDestination struct{…}`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `Type AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPublicDestinationType`
- `const AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPublicDestinationTypePublic AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPublicDestinationType = "public"`
- `URI string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `type AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestination struct{…}`
- `CIDR string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `Hostname string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `L4Protocol AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `const AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "tcp"`
- `const AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4Protocol = "udp"`
- `PortRange string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `Type AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationType`
- `const AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationTypePrivate AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsPrivateDestinationType = "private"`
- `VnetID string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `type AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestination struct{…}`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `McpServerID string`
The MCP server id configured in ai-controls.
- `Type AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType`
- `const AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationTypeViaMcpServerPortal AccessApplicationUpdateResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestinationType = "via_mcp_server_portal"`
- `Domain string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `OAuthConfiguration AccessApplicationUpdateResponseMcpServerPortalApplicationOAuthConfiguration`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `DynamicClientRegistration AccessApplicationUpdateResponseMcpServerPortalApplicationOAuthConfigurationDynamicClientRegistration`
Settings for OAuth dynamic client registration.
- `AllowAnyOnLocalhost bool`
Allows any client with redirect URIs on localhost.
- `AllowAnyOnLoopback bool`
Allows any client with redirect URIs on 127.0.0.1.
- `AllowedURIs []string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `Enabled bool`
Whether dynamic client registration is enabled.
- `Enabled bool`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `Grant AccessApplicationUpdateResponseMcpServerPortalApplicationOAuthConfigurationGrant`
Settings for OAuth grant behavior.
- `AccessTokenLifetime string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `SessionDuration string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `Policies []AccessApplicationUpdateResponseMcpServerPortalApplicationPolicy`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorTotp AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorBiometrics AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationUpdateResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `type AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItem`
Multiple authentication schemes
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `type AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken AccessApplicationUpdateResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `Tags []string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
application, err := client.ZeroTrust.Access.Applications.Update(
context.TODO(),
"023e105f4ecef8ad9ca31a8372d0c353",
zero_trust.AccessApplicationUpdateParams{
Body: zero_trust.AccessApplicationUpdateParamsBodySelfHostedApplication{
Domain: cloudflare.F("test.example.com/admin"),
Type: cloudflare.F(zero_trust.ApplicationTypeSelfHosted),
},
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", application)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}
```
## Delete an Access application
`client.ZeroTrust.Access.Applications.Delete(ctx, appID, body) (*AccessApplicationDeleteResponse, error)`
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}`
Deletes an application from Access.
### Parameters
- `AppID AppID`
Identifier.
- `body AccessApplicationDeleteParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type AccessApplicationDeleteResponse struct{…}`
- `ID string`
UUID.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
application, err := client.ZeroTrust.Access.Applications.Delete(
context.TODO(),
"023e105f4ecef8ad9ca31a8372d0c353",
zero_trust.AccessApplicationDeleteParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", application.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Revoke application tokens
`client.ZeroTrust.Access.Applications.RevokeTokens(ctx, appID, body) (*AccessApplicationRevokeTokensResponse, error)`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/revoke_tokens`
Revokes all tokens issued for an application.
### Parameters
- `AppID AppID`
Identifier.
- `body AccessApplicationRevokeTokensParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type AccessApplicationRevokeTokensResponse interface{…}`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
response, err := client.ZeroTrust.Access.Applications.RevokeTokens(
context.TODO(),
"023e105f4ecef8ad9ca31a8372d0c353",
zero_trust.AccessApplicationRevokeTokensParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", response)
}
```
#### Response
```json
{
"result": {},
"success": true
}
```
## Domain Types
### Allowed Headers
- `type AllowedHeaders string`
### Allowed IdPs
- `type AllowedIdPs string`
The identity providers selected for application.
### Allowed Methods
- `type AllowedMethods string`
- `const AllowedMethodsGet AllowedMethods = "GET"`
- `const AllowedMethodsPost AllowedMethods = "POST"`
- `const AllowedMethodsHead AllowedMethods = "HEAD"`
- `const AllowedMethodsPut AllowedMethods = "PUT"`
- `const AllowedMethodsDelete AllowedMethods = "DELETE"`
- `const AllowedMethodsConnect AllowedMethods = "CONNECT"`
- `const AllowedMethodsOptions AllowedMethods = "OPTIONS"`
- `const AllowedMethodsTrace AllowedMethods = "TRACE"`
- `const AllowedMethodsPatch AllowedMethods = "PATCH"`
### Allowed Origins
- `type AllowedOrigins string`
### App ID
- `type AppID string`
Identifier.
### Application
- `type Application interface{…}`
- `ApplicationSelfHostedApplication`
- `Domain string`
The domain and path that Access will secure.
- `Type string`
The application type.
- `ID string`
UUID.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders ApplicationSelfHostedApplicationCORSHeaders`
- `AllowAllHeaders bool`
Allows all HTTP request headers.
- `AllowAllMethods bool`
Allows all HTTP request methods.
- `AllowAllOrigins bool`
Allows all origins.
- `AllowCredentials bool`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `AllowedHeaders []unknown`
Allowed HTTP request headers.
- `AllowedMethods []AllowedMethods`
Allowed HTTP request methods.
- `const AllowedMethodsGet AllowedMethods = "GET"`
- `const AllowedMethodsPost AllowedMethods = "POST"`
- `const AllowedMethodsHead AllowedMethods = "HEAD"`
- `const AllowedMethodsPut AllowedMethods = "PUT"`
- `const AllowedMethodsDelete AllowedMethods = "DELETE"`
- `const AllowedMethodsConnect AllowedMethods = "CONNECT"`
- `const AllowedMethodsOptions AllowedMethods = "OPTIONS"`
- `const AllowedMethodsTrace AllowedMethods = "TRACE"`
- `const AllowedMethodsPatch AllowedMethods = "PATCH"`
- `AllowedOrigins []unknown`
Allowed origins.
- `MaxAge float64`
The maximum number of seconds the results of a preflight request can be cached.
- `CreatedAt Time`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application.
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication ApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `Password string`
Password used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationHTTPBasicScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"`
- `User string`
User name used to authenticate with the remote SCIM service.
- `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken`
- `Token string`
Token used to authenticate with the remote SCIM service.
- `Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"`
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AuthorizationURL string`
URL used to generate the auth code used during token generation.
- `ClientID string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `ClientSecret string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `Scheme SCIMConfigAuthenticationOauth2Scheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"`
- `TokenURL string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `Scopes []string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken`
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthentication`
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken`
- `Token string`
Token used to authenticate with the remote SCIM service.
- `Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"`
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken`
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Create bool`
Whether or not this mapping applies to create (POST) operations.
- `Delete bool`
Whether or not this mapping applies to DELETE operations.
- `Update bool`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"`
- `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"`
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `UpdatedAt Time`
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `ApplicationSaaSApplication`
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CreatedAt Time`
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `SaaSApp ApplicationSaaSApplicationSaaSApp`
- `ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSApp`
- `AuthType ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthType`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthTypeSAML ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthType = "saml"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthTypeOIDC ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthType = "oidc"`
- `ConsumerServiceURL string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `CreatedAt Time`
- `CustomAttributes []ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttribute`
- `FriendlyName string`
The SAML FriendlyName of the attribute.
- `Name string`
The name of the attribute.
- `NameFormat ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat`
A globally unique name for an identity or service provider.
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `Required bool`
If the attribute is required when building a SAML assertion.
- `Source ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesSource`
- `Name string`
The name of the IdP attribute.
- `NameByIdP map[string, string]`
A mapping from IdP ID to attribute name.
- `IdPEntityID string`
The unique identifier for your SaaS application.
- `NameIDFormat SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"`
- `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"`
- `NameIDTransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `PublicKey string`
The Access public certificate that will be used to verify your identity.
- `SPEntityID string`
A globally unique name for an identity or service provider.
- `SSOEndpoint string`
The endpoint where your SaaS application will send login requests.
- `UpdatedAt Time`
- `ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSApp`
- `AccessTokenLifetime string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `AllowPKCEWithoutClientSecret bool`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `AppLauncherURL string`
The URL where this applications tile redirects users
- `AuthType ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthType`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthTypeSAML ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthType = "saml"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthTypeOIDC ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthType = "oidc"`
- `ClientID string`
The application client id
- `ClientSecret string`
The application client secret, only returned on POST request.
- `CreatedAt Time`
- `CustomClaims []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaim`
- `Name string`
The name of the claim.
- `Required bool`
If the claim is required when building an OIDC token.
- `Scope ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope`
The scope of the claim.
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeGroups ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "groups"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeProfile ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "profile"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeEmail ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "email"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeOpenid ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "openid"`
- `Source ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsSource`
- `Name string`
The name of the IdP claim.
- `NameByIdP []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsSourceNameByIdP`
A mapping from IdP ID to attribute name.
- `IdPID string`
The UID of the IdP.
- `SourceName string`
The name of the IdP provided attribute.
- `GrantTypes []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType`
The OIDC flows supported by this application
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeAuthorizationCode ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "authorization_code"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "authorization_code_with_pkce"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeRefreshTokens ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "refresh_tokens"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeHybrid ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "hybrid"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeImplicit ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "implicit"`
- `GroupFilterRegex string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint.
- `HybridAndImplicitOptions ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppHybridAndImplicitOptions`
- `ReturnAccessTokenFromAuthorizationEndpoint bool`
If an Access Token should be returned from the OIDC Authorization endpoint
- `ReturnIDTokenFromAuthorizationEndpoint bool`
If an ID Token should be returned from the OIDC Authorization endpoint
- `PublicKey string`
The Access public certificate that will be used to verify your identity.
- `RedirectURIs []string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `RefreshTokenOptions ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppRefreshTokenOptions`
- `Lifetime string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `Scopes []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeOpenid ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "openid"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeGroups ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "groups"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeEmail ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "email"`
- `const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeProfile ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "profile"`
- `UpdatedAt Time`
- `SCIMConfig ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `Type string`
The application type.
- `UpdatedAt Time`
- `ApplicationBrowserSSHApplication`
- `Domain string`
The domain and path that Access will secure.
- `Type string`
The application type.
- `ID string`
UUID.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders ApplicationBrowserSSHApplicationCORSHeaders`
- `AllowAllHeaders bool`
Allows all HTTP request headers.
- `AllowAllMethods bool`
Allows all HTTP request methods.
- `AllowAllOrigins bool`
Allows all origins.
- `AllowCredentials bool`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `AllowedHeaders []unknown`
Allowed HTTP request headers.
- `AllowedMethods []AllowedMethods`
Allowed HTTP request methods.
- `const AllowedMethodsGet AllowedMethods = "GET"`
- `const AllowedMethodsPost AllowedMethods = "POST"`
- `const AllowedMethodsHead AllowedMethods = "HEAD"`
- `const AllowedMethodsPut AllowedMethods = "PUT"`
- `const AllowedMethodsDelete AllowedMethods = "DELETE"`
- `const AllowedMethodsConnect AllowedMethods = "CONNECT"`
- `const AllowedMethodsOptions AllowedMethods = "OPTIONS"`
- `const AllowedMethodsTrace AllowedMethods = "TRACE"`
- `const AllowedMethodsPatch AllowedMethods = "PATCH"`
- `AllowedOrigins []unknown`
Allowed origins.
- `MaxAge float64`
The maximum number of seconds the results of a preflight request can be cached.
- `CreatedAt Time`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application.
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `UpdatedAt Time`
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `ApplicationBrowserVNCApplication`
- `Domain string`
The domain and path that Access will secure.
- `Type string`
The application type.
- `ID string`
UUID.
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CORSHeaders ApplicationBrowserVNCApplicationCORSHeaders`
- `AllowAllHeaders bool`
Allows all HTTP request headers.
- `AllowAllMethods bool`
Allows all HTTP request methods.
- `AllowAllOrigins bool`
Allows all origins.
- `AllowCredentials bool`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `AllowedHeaders []unknown`
Allowed HTTP request headers.
- `AllowedMethods []AllowedMethods`
Allowed HTTP request methods.
- `const AllowedMethodsGet AllowedMethods = "GET"`
- `const AllowedMethodsPost AllowedMethods = "POST"`
- `const AllowedMethodsHead AllowedMethods = "HEAD"`
- `const AllowedMethodsPut AllowedMethods = "PUT"`
- `const AllowedMethodsDelete AllowedMethods = "DELETE"`
- `const AllowedMethodsConnect AllowedMethods = "CONNECT"`
- `const AllowedMethodsOptions AllowedMethods = "OPTIONS"`
- `const AllowedMethodsTrace AllowedMethods = "TRACE"`
- `const AllowedMethodsPatch AllowedMethods = "PATCH"`
- `AllowedOrigins []unknown`
Allowed origins.
- `MaxAge float64`
The maximum number of seconds the results of a preflight request can be cached.
- `CreatedAt Time`
- `CustomDenyMessage string`
The custom error message shown to a user when they are denied access to the application.
- `CustomDenyURL string`
The custom URL a user is redirected to when they are denied access to the application.
- `EnableBindingCookie bool`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `HTTPOnlyCookieAttribute bool`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `OptionsPreflightBypass bool`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `SameSiteCookieAttribute string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `SCIMConfig ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `ServiceAuth401Redirect bool`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
- `UpdatedAt Time`
- `UseClientlessIsolationAppLauncherURL bool`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `ApplicationAppLauncherApplication`
- `Type ApplicationAppLauncherApplicationType`
The application type.
- `const ApplicationAppLauncherApplicationTypeSelfHosted ApplicationAppLauncherApplicationType = "self_hosted"`
- `const ApplicationAppLauncherApplicationTypeSaaS ApplicationAppLauncherApplicationType = "saas"`
- `const ApplicationAppLauncherApplicationTypeSSH ApplicationAppLauncherApplicationType = "ssh"`
- `const ApplicationAppLauncherApplicationTypeVNC ApplicationAppLauncherApplicationType = "vnc"`
- `const ApplicationAppLauncherApplicationTypeAppLauncher ApplicationAppLauncherApplicationType = "app_launcher"`
- `const ApplicationAppLauncherApplicationTypeWARP ApplicationAppLauncherApplicationType = "warp"`
- `const ApplicationAppLauncherApplicationTypeBISO ApplicationAppLauncherApplicationType = "biso"`
- `const ApplicationAppLauncherApplicationTypeBookmark ApplicationAppLauncherApplicationType = "bookmark"`
- `const ApplicationAppLauncherApplicationTypeDashSSO ApplicationAppLauncherApplicationType = "dash_sso"`
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CreatedAt Time`
- `Domain string`
The domain and path that Access will secure.
- `Name string`
The name of the application.
- `SCIMConfig ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ApplicationDeviceEnrollmentPermissionsApplication`
- `Type ApplicationDeviceEnrollmentPermissionsApplicationType`
The application type.
- `const ApplicationDeviceEnrollmentPermissionsApplicationTypeSelfHosted ApplicationDeviceEnrollmentPermissionsApplicationType = "self_hosted"`
- `const ApplicationDeviceEnrollmentPermissionsApplicationTypeSaaS ApplicationDeviceEnrollmentPermissionsApplicationType = "saas"`
- `const ApplicationDeviceEnrollmentPermissionsApplicationTypeSSH ApplicationDeviceEnrollmentPermissionsApplicationType = "ssh"`
- `const ApplicationDeviceEnrollmentPermissionsApplicationTypeVNC ApplicationDeviceEnrollmentPermissionsApplicationType = "vnc"`
- `const ApplicationDeviceEnrollmentPermissionsApplicationTypeAppLauncher ApplicationDeviceEnrollmentPermissionsApplicationType = "app_launcher"`
- `const ApplicationDeviceEnrollmentPermissionsApplicationTypeWARP ApplicationDeviceEnrollmentPermissionsApplicationType = "warp"`
- `const ApplicationDeviceEnrollmentPermissionsApplicationTypeBISO ApplicationDeviceEnrollmentPermissionsApplicationType = "biso"`
- `const ApplicationDeviceEnrollmentPermissionsApplicationTypeBookmark ApplicationDeviceEnrollmentPermissionsApplicationType = "bookmark"`
- `const ApplicationDeviceEnrollmentPermissionsApplicationTypeDashSSO ApplicationDeviceEnrollmentPermissionsApplicationType = "dash_sso"`
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CreatedAt Time`
- `Domain string`
The domain and path that Access will secure.
- `Name string`
The name of the application.
- `SCIMConfig ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ApplicationBrowserIsolationPermissionsApplication`
- `Type ApplicationBrowserIsolationPermissionsApplicationType`
The application type.
- `const ApplicationBrowserIsolationPermissionsApplicationTypeSelfHosted ApplicationBrowserIsolationPermissionsApplicationType = "self_hosted"`
- `const ApplicationBrowserIsolationPermissionsApplicationTypeSaaS ApplicationBrowserIsolationPermissionsApplicationType = "saas"`
- `const ApplicationBrowserIsolationPermissionsApplicationTypeSSH ApplicationBrowserIsolationPermissionsApplicationType = "ssh"`
- `const ApplicationBrowserIsolationPermissionsApplicationTypeVNC ApplicationBrowserIsolationPermissionsApplicationType = "vnc"`
- `const ApplicationBrowserIsolationPermissionsApplicationTypeAppLauncher ApplicationBrowserIsolationPermissionsApplicationType = "app_launcher"`
- `const ApplicationBrowserIsolationPermissionsApplicationTypeWARP ApplicationBrowserIsolationPermissionsApplicationType = "warp"`
- `const ApplicationBrowserIsolationPermissionsApplicationTypeBISO ApplicationBrowserIsolationPermissionsApplicationType = "biso"`
- `const ApplicationBrowserIsolationPermissionsApplicationTypeBookmark ApplicationBrowserIsolationPermissionsApplicationType = "bookmark"`
- `const ApplicationBrowserIsolationPermissionsApplicationTypeDashSSO ApplicationBrowserIsolationPermissionsApplicationType = "dash_sso"`
- `ID string`
UUID.
- `AllowedIdPs []AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `AUD string`
Audience tag.
- `AutoRedirectToIdentity bool`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `CreatedAt Time`
- `Domain string`
The domain and path that Access will secure.
- `Name string`
The name of the application.
- `SCIMConfig ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `SessionDuration string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
- `ApplicationBookmarkApplication`
- `Domain string`
The URL or domain of the bookmark.
- `Type string`
The application type.
- `ID string`
UUID.
- `AppLauncherVisible unknown`
- `AUD string`
Audience tag.
- `CreatedAt Time`
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the application.
- `SCIMConfig ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `UpdatedAt Time`
### Application Policy
- `type ApplicationPolicy struct{…}`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules ApplicationPolicyConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP ApplicationPolicyConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []ApplicationPolicyConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const ApplicationPolicyConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText ApplicationPolicyConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []ApplicationPolicyConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const ApplicationPolicyConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText ApplicationPolicyConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig ApplicationPolicyMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []ApplicationPolicyMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const ApplicationPolicyMfaConfigAllowedAuthenticatorTotp ApplicationPolicyMfaConfigAllowedAuthenticator = "totp"`
- `const ApplicationPolicyMfaConfigAllowedAuthenticatorBiometrics ApplicationPolicyMfaConfigAllowedAuthenticator = "biometrics"`
- `const ApplicationPolicyMfaConfigAllowedAuthenticatorSecurityKey ApplicationPolicyMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
### Application SCIM Config
- `type ApplicationSCIMConfig struct{…}`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `IdPUID string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `RemoteURI string`
The base URI for the application's SCIM-compatible API.
- `Authentication ApplicationSCIMConfigAuthenticationUnion`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `Password string`
Password used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationHTTPBasicScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"`
- `User string`
User name used to authenticate with the remote SCIM service.
- `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken`
- `Token string`
Token used to authenticate with the remote SCIM service.
- `Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"`
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AuthorizationURL string`
URL used to generate the auth code used during token generation.
- `ClientID string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `ClientSecret string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `Scheme SCIMConfigAuthenticationOauth2Scheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"`
- `TokenURL string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `Scopes []string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken`
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthentication`
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken`
- `Token string`
Token used to authenticate with the remote SCIM service.
- `Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"`
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken`
- `ClientID string`
Client ID of the Access service token used to authenticate with the remote service.
- `ClientSecret string`
Client secret of the Access service token used to authenticate with the remote service.
- `Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenSchemeAccessServiceToken ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme = "access_service_token"`
- `DeactivateOnDelete bool`
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
- `Enabled bool`
Whether SCIM provisioning is turned on for this application.
- `Mappings []SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Create bool`
Whether or not this mapping applies to create (POST) operations.
- `Delete bool`
Whether or not this mapping applies to DELETE operations.
- `Update bool`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"`
- `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"`
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
### Application Type
- `type ApplicationType string`
The application type.
- `const ApplicationTypeSelfHosted ApplicationType = "self_hosted"`
- `const ApplicationTypeSaaS ApplicationType = "saas"`
- `const ApplicationTypeSSH ApplicationType = "ssh"`
- `const ApplicationTypeVNC ApplicationType = "vnc"`
- `const ApplicationTypeAppLauncher ApplicationType = "app_launcher"`
- `const ApplicationTypeWARP ApplicationType = "warp"`
- `const ApplicationTypeBISO ApplicationType = "biso"`
- `const ApplicationTypeBookmark ApplicationType = "bookmark"`
- `const ApplicationTypeDashSSO ApplicationType = "dash_sso"`
- `const ApplicationTypeInfrastructure ApplicationType = "infrastructure"`
- `const ApplicationTypeRDP ApplicationType = "rdp"`
- `const ApplicationTypeMcp ApplicationType = "mcp"`
- `const ApplicationTypeMcpPortal ApplicationType = "mcp_portal"`
- `const ApplicationTypeProxyEndpoint ApplicationType = "proxy_endpoint"`
### CORS Headers
- `type CORSHeaders struct{…}`
- `AllowAllHeaders bool`
Allows all HTTP request headers.
- `AllowAllMethods bool`
Allows all HTTP request methods.
- `AllowAllOrigins bool`
Allows all origins.
- `AllowCredentials bool`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `AllowedHeaders []AllowedHeaders`
Allowed HTTP request headers.
- `AllowedMethods []AllowedMethods`
Allowed HTTP request methods.
- `const AllowedMethodsGet AllowedMethods = "GET"`
- `const AllowedMethodsPost AllowedMethods = "POST"`
- `const AllowedMethodsHead AllowedMethods = "HEAD"`
- `const AllowedMethodsPut AllowedMethods = "PUT"`
- `const AllowedMethodsDelete AllowedMethods = "DELETE"`
- `const AllowedMethodsConnect AllowedMethods = "CONNECT"`
- `const AllowedMethodsOptions AllowedMethods = "OPTIONS"`
- `const AllowedMethodsTrace AllowedMethods = "TRACE"`
- `const AllowedMethodsPatch AllowedMethods = "PATCH"`
- `AllowedOrigins []AllowedOrigins`
Allowed origins.
- `MaxAge float64`
The maximum number of seconds the results of a preflight request can be cached.
### Decision
- `type Decision string`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
### OIDC SaaS App
- `type OIDCSaaSApp struct{…}`
- `AccessTokenLifetime string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `AllowPKCEWithoutClientSecret bool`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `AppLauncherURL string`
The URL where this applications tile redirects users
- `AuthType OIDCSaaSAppAuthType`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `const OIDCSaaSAppAuthTypeSAML OIDCSaaSAppAuthType = "saml"`
- `const OIDCSaaSAppAuthTypeOIDC OIDCSaaSAppAuthType = "oidc"`
- `ClientID string`
The application client id
- `ClientSecret string`
The application client secret, only returned on POST request.
- `CustomClaims []OIDCSaaSAppCustomClaim`
- `Name string`
The name of the claim.
- `Required bool`
If the claim is required when building an OIDC token.
- `Scope OIDCSaaSAppCustomClaimsScope`
The scope of the claim.
- `const OIDCSaaSAppCustomClaimsScopeGroups OIDCSaaSAppCustomClaimsScope = "groups"`
- `const OIDCSaaSAppCustomClaimsScopeProfile OIDCSaaSAppCustomClaimsScope = "profile"`
- `const OIDCSaaSAppCustomClaimsScopeEmail OIDCSaaSAppCustomClaimsScope = "email"`
- `const OIDCSaaSAppCustomClaimsScopeOpenid OIDCSaaSAppCustomClaimsScope = "openid"`
- `Source OIDCSaaSAppCustomClaimsSource`
- `Name string`
The name of the IdP claim.
- `NameByIdP map[string, string]`
A mapping from IdP ID to claim name.
- `GrantTypes []OIDCSaaSAppGrantType`
The OIDC flows supported by this application
- `const OIDCSaaSAppGrantTypeAuthorizationCode OIDCSaaSAppGrantType = "authorization_code"`
- `const OIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE OIDCSaaSAppGrantType = "authorization_code_with_pkce"`
- `const OIDCSaaSAppGrantTypeRefreshTokens OIDCSaaSAppGrantType = "refresh_tokens"`
- `const OIDCSaaSAppGrantTypeHybrid OIDCSaaSAppGrantType = "hybrid"`
- `const OIDCSaaSAppGrantTypeImplicit OIDCSaaSAppGrantType = "implicit"`
- `GroupFilterRegex string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `HybridAndImplicitOptions OIDCSaaSAppHybridAndImplicitOptions`
- `ReturnAccessTokenFromAuthorizationEndpoint bool`
If an Access Token should be returned from the OIDC Authorization endpoint
- `ReturnIDTokenFromAuthorizationEndpoint bool`
If an ID Token should be returned from the OIDC Authorization endpoint
- `PublicKey string`
The Access public certificate that will be used to verify your identity.
- `RedirectURIs []string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `RefreshTokenOptions OIDCSaaSAppRefreshTokenOptions`
- `Lifetime string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `Scopes []OIDCSaaSAppScope`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `const OIDCSaaSAppScopeOpenid OIDCSaaSAppScope = "openid"`
- `const OIDCSaaSAppScopeGroups OIDCSaaSAppScope = "groups"`
- `const OIDCSaaSAppScopeEmail OIDCSaaSAppScope = "email"`
- `const OIDCSaaSAppScopeProfile OIDCSaaSAppScope = "profile"`
### SaaS App Name ID Format
- `type SaaSAppNameIDFormat string`
The format of the name identifier sent to the SaaS application.
- `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"`
- `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"`
### SAML SaaS App
- `type SAMLSaaSApp struct{…}`
- `AuthType SAMLSaaSAppAuthType`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `const SAMLSaaSAppAuthTypeSAML SAMLSaaSAppAuthType = "saml"`
- `const SAMLSaaSAppAuthTypeOIDC SAMLSaaSAppAuthType = "oidc"`
- `ConsumerServiceURL string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `CustomAttributes []SAMLSaaSAppCustomAttribute`
- `FriendlyName string`
The SAML FriendlyName of the attribute.
- `Name string`
The name of the attribute.
- `NameFormat SAMLSaaSAppCustomAttributesNameFormat`
A globally unique name for an identity or service provider.
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `Required bool`
If the attribute is required when building a SAML assertion.
- `Source SAMLSaaSAppCustomAttributesSource`
- `Name string`
The name of the IdP attribute.
- `NameByIdP []SAMLSaaSAppCustomAttributesSourceNameByIdP`
A mapping from IdP ID to attribute name.
- `IdPID string`
The UID of the IdP.
- `SourceName string`
The name of the IdP provided attribute.
- `DefaultRelayState string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `IdPEntityID string`
The unique identifier for your SaaS application.
- `NameIDFormat SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"`
- `const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"`
- `NameIDTransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `PublicKey string`
The Access public certificate that will be used to verify your identity.
- `SAMLAttributeTransformJsonata string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `SPEntityID string`
A globally unique name for an identity or service provider.
- `SSOEndpoint string`
The endpoint where your SaaS application will send login requests.
### SCIM Config Authentication HTTP Basic
- `type SCIMConfigAuthenticationHTTPBasic struct{…}`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `Password string`
Password used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationHTTPBasicScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationHTTPBasicSchemeHttpbasic SCIMConfigAuthenticationHTTPBasicScheme = "httpbasic"`
- `User string`
User name used to authenticate with the remote SCIM service.
### SCIM Config Authentication OAuth Bearer Token
- `type SCIMConfigAuthenticationOAuthBearerToken struct{…}`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `Token string`
Token used to authenticate with the remote SCIM service.
- `Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOAuthBearerTokenSchemeOauthbearertoken SCIMConfigAuthenticationOAuthBearerTokenScheme = "oauthbearertoken"`
### SCIM Config Authentication Oauth2
- `type SCIMConfigAuthenticationOauth2 struct{…}`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AuthorizationURL string`
URL used to generate the auth code used during token generation.
- `ClientID string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `ClientSecret string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `Scheme SCIMConfigAuthenticationOauth2Scheme`
The authentication scheme to use when making SCIM requests to this application.
- `const SCIMConfigAuthenticationOauth2SchemeOauth2 SCIMConfigAuthenticationOauth2Scheme = "oauth2"`
- `TokenURL string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `Scopes []string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
### SCIM Config Mapping
- `type SCIMConfigMapping struct{…}`
Transformations and filters applied to resources before they are provisioned in the remote SCIM service.
- `Schema string`
Which SCIM resource type this mapping applies to.
- `Enabled bool`
Whether or not this mapping is enabled.
- `Filter string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `Operations SCIMConfigMappingOperations`
Whether or not this mapping applies to creates, updates, or deletes.
- `Create bool`
Whether or not this mapping applies to create (POST) operations.
- `Delete bool`
Whether or not this mapping applies to DELETE operations.
- `Update bool`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `Strictness SCIMConfigMappingStrictness`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"`
- `const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"`
- `TransformJsonata string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
### Self Hosted Domains
- `type SelfHostedDomains string`
A domain that Access will secure.
# CAs
## List short-lived certificate CAs
`client.ZeroTrust.Access.Applications.CAs.List(ctx, params) (*V4PagePaginationArray[CA], error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/ca`
Lists short-lived certificate CAs and their public keys.
### Parameters
- `params AccessApplicationCAListParams`
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `Page param.Field[int64]`
Query param: Page number of results.
- `PerPage param.Field[int64]`
Query param: Number of results per page.
### Returns
- `type CA struct{…}`
- `ID string`
The ID of the CA.
- `AUD string`
The Application Audience (AUD) tag. Identifies the application associated with the CA.
- `PublicKey string`
The public key to add to your SSH server configuration.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Applications.CAs.List(context.TODO(), zero_trust.AccessApplicationCAListParams{
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9",
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a short-lived certificate CA
`client.ZeroTrust.Access.Applications.CAs.Get(ctx, appID, query) (*CA, error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca`
Fetches a short-lived certificate CA and its public key.
### Parameters
- `appID string`
UUID.
- `query AccessApplicationCAGetParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type CA struct{…}`
- `ID string`
The ID of the CA.
- `AUD string`
The Application Audience (AUD) tag. Identifies the application associated with the CA.
- `PublicKey string`
The public key to add to your SSH server configuration.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
ca, err := client.ZeroTrust.Access.Applications.CAs.Get(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessApplicationCAGetParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", ca.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9",
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org"
}
}
```
## Create a short-lived certificate CA
`client.ZeroTrust.Access.Applications.CAs.New(ctx, appID, body) (*CA, error)`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca`
Generates a new short-lived certificate CA and public key.
### Parameters
- `appID string`
UUID.
- `body AccessApplicationCANewParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type CA struct{…}`
- `ID string`
The ID of the CA.
- `AUD string`
The Application Audience (AUD) tag. Identifies the application associated with the CA.
- `PublicKey string`
The public key to add to your SSH server configuration.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
ca, err := client.ZeroTrust.Access.Applications.CAs.New(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessApplicationCANewParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", ca.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9",
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org"
}
}
```
## Delete a short-lived certificate CA
`client.ZeroTrust.Access.Applications.CAs.Delete(ctx, appID, body) (*AccessApplicationCADeleteResponse, error)`
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca`
Deletes a short-lived certificate CA.
### Parameters
- `appID string`
UUID.
- `body AccessApplicationCADeleteParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type AccessApplicationCADeleteResponse struct{…}`
- `ID string`
The ID of the CA.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
ca, err := client.ZeroTrust.Access.Applications.CAs.Delete(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessApplicationCADeleteParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", ca.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9"
}
}
```
## Domain Types
### CA
- `type CA struct{…}`
- `ID string`
The ID of the CA.
- `AUD string`
The Application Audience (AUD) tag. Identifies the application associated with the CA.
- `PublicKey string`
The public key to add to your SSH server configuration.
# User Policy Checks
## Test Access policies
`client.ZeroTrust.Access.Applications.UserPolicyChecks.List(ctx, appID, query) (*AccessApplicationUserPolicyCheckListResponse, error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/user_policy_checks`
Tests if a specific user has permission to access an application.
### Parameters
- `AppID AppID`
Identifier.
- `query AccessApplicationUserPolicyCheckListParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type AccessApplicationUserPolicyCheckListResponse struct{…}`
- `AppState AccessApplicationUserPolicyCheckListResponseAppState`
- `AppUID string`
UUID.
- `AUD string`
- `Hostname string`
- `Name string`
- `Policies []unknown`
- `Status string`
- `UserIdentity AccessApplicationUserPolicyCheckListResponseUserIdentity`
- `ID string`
- `AccountID string`
- `DeviceSessions unknown`
- `Email string`
- `Geo UserPolicyCheckGeo`
- `Country string`
- `Iat int64`
- `IsGateway bool`
- `IsWARP bool`
- `Name string`
- `UserUUID string`
UUID.
- `Version int64`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
userPolicyChecks, err := client.ZeroTrust.Access.Applications.UserPolicyChecks.List(
context.TODO(),
"023e105f4ecef8ad9ca31a8372d0c353",
zero_trust.AccessApplicationUserPolicyCheckListParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", userPolicyChecks.UserIdentity)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"app_state": {
"app_uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe389",
"hostname": "test.com",
"name": "Test App",
"policies": [
{
"decision": "allow",
"exclude": [],
"include": [
{
"_type": "email",
"email": "testuser@gmail.com"
}
],
"precedence": 1,
"require": [],
"status": "Success"
}
],
"status": "Success"
},
"user_identity": {
"id": "1164449231815010287495",
"account_id": "41ecfbb341f033e52b46742756aabb8b",
"device_sessions": {},
"email": "testuser@gmail.com",
"geo": {
"country": "US"
},
"iat": 0,
"is_gateway": false,
"is_warp": false,
"name": "Test User",
"user_uuid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"version": 0
}
}
}
```
## Domain Types
### User Policy Check Geo
- `type UserPolicyCheckGeo struct{…}`
- `Country string`
# Policies
## List Access application policies
`client.ZeroTrust.Access.Applications.Policies.List(ctx, appID, params) (*V4PagePaginationArray[AccessApplicationPolicyListResponse], error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies`
Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application.
### Parameters
- `appID string`
UUID.
- `params AccessApplicationPolicyListParams`
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `Page param.Field[int64]`
Query param: Page number of results.
- `PerPage param.Field[int64]`
Query param: Number of results per page.
### Returns
- `type AccessApplicationPolicyListResponse struct{…}`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationPolicyListResponseConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationPolicyListResponseConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyListResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationPolicyListResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyListResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyListResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationPolicyListResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyListResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationPolicyListResponseMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyListResponseMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Applications.Policies.List(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessApplicationPolicyListParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an Access application policy
`client.ZeroTrust.Access.Applications.Policies.Get(ctx, appID, policyID, query) (*AccessApplicationPolicyGetResponse, error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}`
Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application.
### Parameters
- `appID string`
UUID.
- `policyID string`
UUID.
- `query AccessApplicationPolicyGetParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type AccessApplicationPolicyGetResponse struct{…}`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationPolicyGetResponseConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationPolicyGetResponseConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyGetResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationPolicyGetResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyGetResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyGetResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationPolicyGetResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyGetResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationPolicyGetResponseMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyGetResponseMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIKey("144c9defac04969c7bfad8efaa8ea194"),
option.WithAPIEmail("user@example.com"),
)
policy, err := client.ZeroTrust.Access.Applications.Policies.Get(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessApplicationPolicyGetParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", policy.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create an Access application policy
`client.ZeroTrust.Access.Applications.Policies.New(ctx, appID, params) (*AccessApplicationPolicyNewResponse, error)`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies`
Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array.
### Parameters
- `appID string`
UUID.
- `params AccessApplicationPolicyNewParams`
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `ApprovalGroups param.Field[[]ApprovalGroup]`
Body param: Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired param.Field[bool]`
Body param: Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules param.Field[AccessApplicationPolicyNewParamsConnectionRules]`
Body param: The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationPolicyNewParamsConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyNewParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationPolicyNewParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyNewParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyNewParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationPolicyNewParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyNewParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `IsolationRequired param.Field[bool]`
Body param: Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig param.Field[AccessApplicationPolicyNewParamsMfaConfig]`
Body param: Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyNewParamsMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Precedence param.Field[int64]`
Body param: The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt param.Field[string]`
Body param: A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired param.Field[bool]`
Body param: Require users to enter a justification when they log in to the application.
- `SessionDuration param.Field[string]`
Body param: The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
### Returns
- `type AccessApplicationPolicyNewResponse struct{…}`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationPolicyNewResponseConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationPolicyNewResponseConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyNewResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationPolicyNewResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyNewResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyNewResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationPolicyNewResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyNewResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationPolicyNewResponseMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyNewResponseMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
policy, err := client.ZeroTrust.Access.Applications.Policies.New(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessApplicationPolicyNewParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", policy.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update an Access application policy
`client.ZeroTrust.Access.Applications.Policies.Update(ctx, appID, policyID, params) (*AccessApplicationPolicyUpdateResponse, error)`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}`
Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
### Parameters
- `appID string`
UUID.
- `policyID string`
UUID.
- `params AccessApplicationPolicyUpdateParams`
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `ApprovalGroups param.Field[[]ApprovalGroup]`
Body param: Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired param.Field[bool]`
Body param: Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules param.Field[AccessApplicationPolicyUpdateParamsConnectionRules]`
Body param: The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationPolicyUpdateParamsConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyUpdateParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationPolicyUpdateParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyUpdateParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyUpdateParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationPolicyUpdateParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyUpdateParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `IsolationRequired param.Field[bool]`
Body param: Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig param.Field[AccessApplicationPolicyUpdateParamsMfaConfig]`
Body param: Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyUpdateParamsMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Precedence param.Field[int64]`
Body param: The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt param.Field[string]`
Body param: A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired param.Field[bool]`
Body param: Require users to enter a justification when they log in to the application.
- `SessionDuration param.Field[string]`
Body param: The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
### Returns
- `type AccessApplicationPolicyUpdateResponse struct{…}`
- `ID string`
The UUID of the policy
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationPolicyUpdateResponseConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationPolicyUpdateResponseConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyUpdateResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationPolicyUpdateResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyUpdateResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyUpdateResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationPolicyUpdateResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyUpdateResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationPolicyUpdateResponseMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyUpdateResponseMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy within an app.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
policy, err := client.ZeroTrust.Access.Applications.Policies.Update(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessApplicationPolicyUpdateParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", policy.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete an Access application policy
`client.ZeroTrust.Access.Applications.Policies.Delete(ctx, appID, policyID, body) (*AccessApplicationPolicyDeleteResponse, error)`
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}`
Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
### Parameters
- `appID string`
UUID.
- `policyID string`
UUID.
- `body AccessApplicationPolicyDeleteParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type AccessApplicationPolicyDeleteResponse struct{…}`
- `ID string`
UUID.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
policy, err := client.ZeroTrust.Access.Applications.Policies.Delete(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessApplicationPolicyDeleteParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", policy.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Access Device Posture Rule
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
### Access Rule
- `type AccessRule interface{…}`
Matches an Access group.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
### Any Valid Service Token Rule
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
### Authentication Method Rule
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
### Azure Group Rule
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
### Certificate Rule
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
### Country Rule
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
### Domain Rule
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
### Email List Rule
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
### Email Rule
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
### Everyone Rule
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
### External Evaluation Rule
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
### GitHub Organization Rule
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
### Group Rule
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
### GSuite Group Rule
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
### IP List Rule
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
### IP Rule
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
### Okta Group Rule
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
### SAML Group Rule
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
### Service Token Rule
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
# Policy Tests
## Get the current status of a given Access policy test
`client.ZeroTrust.Access.Applications.PolicyTests.Get(ctx, policyTestID, query) (*AccessApplicationPolicyTestGetResponse, error)`
**get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}`
Fetches the current status of a given Access policy test.
### Parameters
- `policyTestID string`
The UUID of the policy test.
- `query AccessApplicationPolicyTestGetParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessApplicationPolicyTestGetResponse struct{…}`
- `ID string`
The UUID of the policy test.
- `PercentApproved int64`
The percentage of (processed) users approved based on policy evaluation results.
- `PercentBlocked int64`
The percentage of (processed) users blocked based on policy evaluation results.
- `PercentErrored int64`
The percentage of (processed) users errored based on policy evaluation results.
- `PercentUsersProcessed int64`
The percentage of users processed so far (of the entire user base).
- `Status AccessApplicationPolicyTestGetResponseStatus`
The status of the policy test.
- `const AccessApplicationPolicyTestGetResponseStatusBlocked AccessApplicationPolicyTestGetResponseStatus = "blocked"`
- `const AccessApplicationPolicyTestGetResponseStatusProcessing AccessApplicationPolicyTestGetResponseStatus = "processing"`
- `const AccessApplicationPolicyTestGetResponseStatusExceededTime AccessApplicationPolicyTestGetResponseStatus = "exceeded time"`
- `const AccessApplicationPolicyTestGetResponseStatusComplete AccessApplicationPolicyTestGetResponseStatus = "complete"`
- `TotalUsers int64`
The total number of users in the user base.
- `UsersApproved int64`
The number of (processed) users approved based on policy evaluation results.
- `UsersBlocked int64`
The number of (processed) users blocked based on policy evaluation results.
- `UsersErrored int64`
The number of (processed) users errored based on policy evaluation results.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
policyTest, err := client.ZeroTrust.Access.Applications.PolicyTests.Get(
context.TODO(),
"f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6",
zero_trust.AccessApplicationPolicyTestGetParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", policyTest.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6",
"percent_approved": 25,
"percent_blocked": 25,
"percent_errored": 25,
"percent_users_processed": 50,
"status": "complete",
"total_users": 20,
"users_approved": 5,
"users_blocked": 5,
"users_errored": 5
}
}
```
## Start Access policy test
`client.ZeroTrust.Access.Applications.PolicyTests.New(ctx, params) (*AccessApplicationPolicyTestNewResponse, error)`
**post** `/accounts/{account_id}/access/policy-tests`
Starts an Access policy test.
### Parameters
- `params AccessApplicationPolicyTestNewParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `Policies param.Field[[]AccessApplicationPolicyTestNewParamsPolicyUnion]`
Body param
- `type AccessApplicationPolicyTestNewParamsPoliciesObject struct{…}`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Name string`
The name of the Access policy.
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessApplicationPolicyTestNewParamsPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticatorTotp AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticator = "totp"`
- `const AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticatorBiometrics AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationPolicyTestNewParamsPoliciesObjectMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UnionString`
### Returns
- `type AccessApplicationPolicyTestNewResponse struct{…}`
- `ID string`
The UUID of the policy test.
- `Status AccessApplicationPolicyTestNewResponseStatus`
The status of the policy test request.
- `const AccessApplicationPolicyTestNewResponseStatusSuccess AccessApplicationPolicyTestNewResponseStatus = "success"`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
policyTest, err := client.ZeroTrust.Access.Applications.PolicyTests.New(context.TODO(), zero_trust.AccessApplicationPolicyTestNewParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", policyTest.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6",
"status": "success"
}
}
```
# Users
## Get an Access policy test users page
`client.ZeroTrust.Access.Applications.PolicyTests.Users.List(ctx, policyTestID, params) (*V4PagePaginationArray[AccessApplicationPolicyTestUserListResponse], error)`
**get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}/users`
Fetches a single page of user results from an Access policy test.
### Parameters
- `policyTestID string`
The UUID of the policy test.
- `params AccessApplicationPolicyTestUserListParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `Page param.Field[int64]`
Query param: Page number of results.
- `PerPage param.Field[int64]`
Query param
- `Status param.Field[AccessApplicationPolicyTestUserListParamsStatus]`
Query param: Filter users by their policy evaluation status.
- `const AccessApplicationPolicyTestUserListParamsStatusSuccess AccessApplicationPolicyTestUserListParamsStatus = "success"`
- `const AccessApplicationPolicyTestUserListParamsStatusFail AccessApplicationPolicyTestUserListParamsStatus = "fail"`
- `const AccessApplicationPolicyTestUserListParamsStatusError AccessApplicationPolicyTestUserListParamsStatus = "error"`
### Returns
- `type AccessApplicationPolicyTestUserListResponse struct{…}`
- `ID string`
UUID.
- `Email string`
The email of the user.
- `Name string`
The name of the user.
- `Status AccessApplicationPolicyTestUserListResponseStatus`
Policy evaluation result for an individual user.
- `const AccessApplicationPolicyTestUserListResponseStatusApproved AccessApplicationPolicyTestUserListResponseStatus = "approved"`
- `const AccessApplicationPolicyTestUserListResponseStatusBlocked AccessApplicationPolicyTestUserListResponseStatus = "blocked"`
- `const AccessApplicationPolicyTestUserListResponseStatusError AccessApplicationPolicyTestUserListResponseStatus = "error"`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Applications.PolicyTests.Users.List(
context.TODO(),
"f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6",
zero_trust.AccessApplicationPolicyTestUserListParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"email": "jdoe@example.com",
"name": "Jane Doe",
"status": "approved"
}
]
}
```
# Settings
## Update Access application settings
`client.ZeroTrust.Access.Applications.Settings.Update(ctx, appID, params) (*AccessApplicationSettingUpdateResponse, error)`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings`
Updates Access application settings.
### Parameters
- `AppID AppID`
Identifier.
- `params AccessApplicationSettingUpdateParams`
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `AllowIframe param.Field[bool]`
Body param: Enables loading application content in an iFrame.
- `SkipInterstitial param.Field[bool]`
Body param: Enables automatic authentication through cloudflared.
### Returns
- `type AccessApplicationSettingUpdateResponse struct{…}`
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
setting, err := client.ZeroTrust.Access.Applications.Settings.Update(
context.TODO(),
"023e105f4ecef8ad9ca31a8372d0c353",
zero_trust.AccessApplicationSettingUpdateParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", setting.AllowIframe)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"allow_iframe": true,
"skip_interstitial": true
}
}
```
## Update Access application settings
`client.ZeroTrust.Access.Applications.Settings.Edit(ctx, appID, params) (*AccessApplicationSettingEditResponse, error)`
**patch** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings`
Updates Access application settings.
### Parameters
- `AppID AppID`
Identifier.
- `params AccessApplicationSettingEditParams`
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `AllowIframe param.Field[bool]`
Body param: Enables loading application content in an iFrame.
- `SkipInterstitial param.Field[bool]`
Body param: Enables automatic authentication through cloudflared.
### Returns
- `type AccessApplicationSettingEditResponse struct{…}`
- `AllowIframe bool`
Enables loading application content in an iFrame.
- `SkipInterstitial bool`
Enables automatic authentication through cloudflared.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
response, err := client.ZeroTrust.Access.Applications.Settings.Edit(
context.TODO(),
"023e105f4ecef8ad9ca31a8372d0c353",
zero_trust.AccessApplicationSettingEditParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", response.AllowIframe)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"allow_iframe": true,
"skip_interstitial": true
}
}
```
# Certificates
## List mTLS certificates
`client.ZeroTrust.Access.Certificates.List(ctx, params) (*V4PagePaginationArray[Certificate], error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates`
Lists all mTLS root certificates.
### Parameters
- `params AccessCertificateListParams`
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `Page param.Field[int64]`
Query param: Page number of results.
- `PerPage param.Field[int64]`
Query param: Number of results per page.
### Returns
- `type Certificate struct{…}`
- `ID string`
The ID of the application that will use this certificate.
- `AssociatedHostnames []AssociatedHostnames`
The hostnames of the applications that will use this certificate.
- `ExpiresOn Time`
- `Fingerprint string`
The MD5 fingerprint of the certificate.
- `Name string`
The name of the certificate.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Certificates.List(context.TODO(), zero_trust.AccessCertificateListParams{
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "id",
"associated_hostnames": [
"admin.example.com"
],
"created_at": "2014-01-01T05:20:00.12345Z",
"expires_on": "2014-01-01T05:20:00.12345Z",
"fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91",
"name": "Allow devs",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an mTLS certificate
`client.ZeroTrust.Access.Certificates.Get(ctx, certificateID, query) (*Certificate, error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}`
Fetches a single mTLS certificate.
### Parameters
- `certificateID string`
UUID.
- `query AccessCertificateGetParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type Certificate struct{…}`
- `ID string`
The ID of the application that will use this certificate.
- `AssociatedHostnames []AssociatedHostnames`
The hostnames of the applications that will use this certificate.
- `ExpiresOn Time`
- `Fingerprint string`
The MD5 fingerprint of the certificate.
- `Name string`
The name of the certificate.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
certificate, err := client.ZeroTrust.Access.Certificates.Get(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessCertificateGetParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", certificate.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"associated_hostnames": [
"admin.example.com"
],
"created_at": "2014-01-01T05:20:00.12345Z",
"expires_on": "2014-01-01T05:20:00.12345Z",
"fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91",
"name": "Allow devs",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Add an mTLS certificate
`client.ZeroTrust.Access.Certificates.New(ctx, params) (*Certificate, error)`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates`
Adds a new mTLS root certificate to Access.
### Parameters
- `params AccessCertificateNewParams`
- `Certificate param.Field[string]`
Body param: The certificate content.
- `Name param.Field[string]`
Body param: The name of the certificate.
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `AssociatedHostnames param.Field[[]AssociatedHostnames]`
Body param: The hostnames of the applications that will use this certificate.
### Returns
- `type Certificate struct{…}`
- `ID string`
The ID of the application that will use this certificate.
- `AssociatedHostnames []AssociatedHostnames`
The hostnames of the applications that will use this certificate.
- `ExpiresOn Time`
- `Fingerprint string`
The MD5 fingerprint of the certificate.
- `Name string`
The name of the certificate.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
certificate, err := client.ZeroTrust.Access.Certificates.New(context.TODO(), zero_trust.AccessCertificateNewParams{
Certificate: cloudflare.F("-----BEGIN CERTIFICATE-----\nMIIGAjCCA+qgAwIBAgIJAI7kymlF7CWT...N4RI7KKB7nikiuUf8vhULKy5IX10\nDrUtmu/B\n-----END CERTIFICATE-----"),
Name: cloudflare.F("Allow devs"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", certificate.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"associated_hostnames": [
"admin.example.com"
],
"created_at": "2014-01-01T05:20:00.12345Z",
"expires_on": "2014-01-01T05:20:00.12345Z",
"fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91",
"name": "Allow devs",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update an mTLS certificate
`client.ZeroTrust.Access.Certificates.Update(ctx, certificateID, params) (*Certificate, error)`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}`
Updates a configured mTLS certificate.
### Parameters
- `certificateID string`
UUID.
- `params AccessCertificateUpdateParams`
- `AssociatedHostnames param.Field[[]AssociatedHostnames]`
Body param: The hostnames of the applications that will use this certificate.
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `Name param.Field[string]`
Body param: The name of the certificate.
### Returns
- `type Certificate struct{…}`
- `ID string`
The ID of the application that will use this certificate.
- `AssociatedHostnames []AssociatedHostnames`
The hostnames of the applications that will use this certificate.
- `ExpiresOn Time`
- `Fingerprint string`
The MD5 fingerprint of the certificate.
- `Name string`
The name of the certificate.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
certificate, err := client.ZeroTrust.Access.Certificates.Update(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessCertificateUpdateParams{
AssociatedHostnames: cloudflare.F([]zero_trust.AssociatedHostnamesParam{"admin.example.com"}),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", certificate.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"associated_hostnames": [
"admin.example.com"
],
"created_at": "2014-01-01T05:20:00.12345Z",
"expires_on": "2014-01-01T05:20:00.12345Z",
"fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91",
"name": "Allow devs",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete an mTLS certificate
`client.ZeroTrust.Access.Certificates.Delete(ctx, certificateID, body) (*AccessCertificateDeleteResponse, error)`
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}`
Deletes an mTLS certificate.
### Parameters
- `certificateID string`
UUID.
- `body AccessCertificateDeleteParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type AccessCertificateDeleteResponse struct{…}`
- `ID string`
UUID.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
certificate, err := client.ZeroTrust.Access.Certificates.Delete(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessCertificateDeleteParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", certificate.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Associated Hostnames
- `type AssociatedHostnames string`
A fully-qualified domain name (FQDN).
### Certificate
- `type Certificate struct{…}`
- `ID string`
The ID of the application that will use this certificate.
- `AssociatedHostnames []AssociatedHostnames`
The hostnames of the applications that will use this certificate.
- `ExpiresOn Time`
- `Fingerprint string`
The MD5 fingerprint of the certificate.
- `Name string`
The name of the certificate.
# Settings
## List all mTLS hostname settings
`client.ZeroTrust.Access.Certificates.Settings.Get(ctx, query) (*SinglePage[CertificateSettings], error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings`
List all mTLS hostname settings for this account or zone.
### Parameters
- `query AccessCertificateSettingGetParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type CertificateSettings struct{…}`
- `ChinaNetwork bool`
Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.
- `ClientCertificateForwarding bool`
Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.
- `Hostname string`
The hostname that these settings apply to.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Certificates.Settings.Get(context.TODO(), zero_trust.AccessCertificateSettingGetParams{
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"china_network": false,
"client_certificate_forwarding": true,
"hostname": "admin.example.com"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Update an mTLS certificate's hostname settings
`client.ZeroTrust.Access.Certificates.Settings.Update(ctx, params) (*SinglePage[CertificateSettings], error)`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings`
Updates an mTLS certificate's hostname settings.
### Parameters
- `params AccessCertificateSettingUpdateParams`
- `Settings param.Field[[]CertificateSettings]`
Body param
- `ChinaNetwork bool`
Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.
- `ClientCertificateForwarding bool`
Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.
- `Hostname string`
The hostname that these settings apply to.
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type CertificateSettings struct{…}`
- `ChinaNetwork bool`
Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.
- `ClientCertificateForwarding bool`
Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.
- `Hostname string`
The hostname that these settings apply to.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Certificates.Settings.Update(context.TODO(), zero_trust.AccessCertificateSettingUpdateParams{
Settings: cloudflare.F([]zero_trust.CertificateSettingsParam{zero_trust.CertificateSettingsParam{
ChinaNetwork: cloudflare.F(false),
ClientCertificateForwarding: cloudflare.F(true),
Hostname: cloudflare.F("admin.example.com"),
}}),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"china_network": false,
"client_certificate_forwarding": true,
"hostname": "admin.example.com"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Domain Types
### Certificate Settings
- `type CertificateSettings struct{…}`
- `ChinaNetwork bool`
Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.
- `ClientCertificateForwarding bool`
Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.
- `Hostname string`
The hostname that these settings apply to.
# Groups
## List Access groups
`client.ZeroTrust.Access.Groups.List(ctx, params) (*V4PagePaginationArray[AccessGroupListResponse], error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups`
Lists all Access groups.
### Parameters
- `params AccessGroupListParams`
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `Name param.Field[string]`
Query param: The name of the group.
- `Page param.Field[int64]`
Query param: Page number of results.
- `PerPage param.Field[int64]`
Query param: Number of results per page.
- `Search param.Field[string]`
Query param: Search for groups by other listed query parameters.
### Returns
- `type AccessGroupListResponse struct{…}`
- `ID string`
UUID.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsDefault []AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Name string`
The name of the Access group.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Groups.List(context.TODO(), zero_trust.AccessGroupListParams{
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"created_at": "2014-01-01T05:20:00.12345Z",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"is_default": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an Access group
`client.ZeroTrust.Access.Groups.Get(ctx, groupID, query) (*AccessGroupGetResponse, error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}`
Fetches a single Access group.
### Parameters
- `groupID string`
UUID.
- `query AccessGroupGetParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type AccessGroupGetResponse struct{…}`
- `ID string`
UUID.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsDefault []AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Name string`
The name of the Access group.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
group, err := client.ZeroTrust.Access.Groups.Get(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessGroupGetParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", group.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"created_at": "2014-01-01T05:20:00.12345Z",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"is_default": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create an Access group
`client.ZeroTrust.Access.Groups.New(ctx, params) (*AccessGroupNewResponse, error)`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/groups`
Creates a new Access group.
### Parameters
- `params AccessGroupNewParams`
- `Include param.Field[[]AccessRule]`
Body param: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Name param.Field[string]`
Body param: The name of the Access group.
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `Exclude param.Field[[]AccessRule]`
Body param: Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsDefault param.Field[bool]`
Body param: Whether this is the default group
- `Require param.Field[[]AccessRule]`
Body param: Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
### Returns
- `type AccessGroupNewResponse struct{…}`
- `ID string`
UUID.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsDefault []AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Name string`
The name of the Access group.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
group, err := client.ZeroTrust.Access.Groups.New(context.TODO(), zero_trust.AccessGroupNewParams{
Include: cloudflare.F([]zero_trust.AccessRuleUnionParam{zero_trust.GroupRuleParam{
Group: cloudflare.F(zero_trust.GroupRuleGroupParam{
ID: cloudflare.F("aa0a4aab-672b-4bdb-bc33-a59f1130a11f"),
}),
}}),
Name: cloudflare.F("Allow devs"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", group.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"created_at": "2014-01-01T05:20:00.12345Z",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"is_default": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update an Access group
`client.ZeroTrust.Access.Groups.Update(ctx, groupID, params) (*AccessGroupUpdateResponse, error)`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}`
Updates a configured Access group.
### Parameters
- `groupID string`
UUID.
- `params AccessGroupUpdateParams`
- `Include param.Field[[]AccessRule]`
Body param: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Name param.Field[string]`
Body param: The name of the Access group.
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `Exclude param.Field[[]AccessRule]`
Body param: Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsDefault param.Field[bool]`
Body param: Whether this is the default group
- `Require param.Field[[]AccessRule]`
Body param: Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
### Returns
- `type AccessGroupUpdateResponse struct{…}`
- `ID string`
UUID.
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsDefault []AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Name string`
The name of the Access group.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
group, err := client.ZeroTrust.Access.Groups.Update(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessGroupUpdateParams{
Include: cloudflare.F([]zero_trust.AccessRuleUnionParam{zero_trust.GroupRuleParam{
Group: cloudflare.F(zero_trust.GroupRuleGroupParam{
ID: cloudflare.F("aa0a4aab-672b-4bdb-bc33-a59f1130a11f"),
}),
}}),
Name: cloudflare.F("Allow devs"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", group.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"created_at": "2014-01-01T05:20:00.12345Z",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"is_default": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete an Access group
`client.ZeroTrust.Access.Groups.Delete(ctx, groupID, body) (*AccessGroupDeleteResponse, error)`
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}`
Deletes an Access group.
### Parameters
- `groupID string`
UUID.
- `body AccessGroupDeleteParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type AccessGroupDeleteResponse struct{…}`
- `ID string`
UUID.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
group, err := client.ZeroTrust.Access.Groups.Delete(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessGroupDeleteParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", group.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Zero Trust Group
- `type ZeroTrustGroup struct{…}`
- `ID string`
The unique Cloudflare-generated Id of the SCIM resource.
- `DisplayName string`
The display name of the SCIM Group resource.
- `ExternalID string`
The IdP-generated Id of the SCIM resource.
- `Meta ZeroTrustGroupMeta`
The metadata of the SCIM resource.
- `Created Time`
The timestamp of when the SCIM resource was created.
- `LastModified Time`
The timestamp of when the SCIM resource was last modified.
- `Schemas []string`
The list of URIs which indicate the attributes contained within a SCIM resource.
# Service Tokens
## List service tokens
`client.ZeroTrust.Access.ServiceTokens.List(ctx, params) (*V4PagePaginationArray[ServiceToken], error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens`
Lists all service tokens.
### Parameters
- `params AccessServiceTokenListParams`
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `Name param.Field[string]`
Query param: The name of the service token.
- `Page param.Field[int64]`
Query param: Page number of results.
- `PerPage param.Field[int64]`
Query param: Number of results per page.
- `Search param.Field[string]`
Query param: Search for service tokens by other listed query parameters.
### Returns
- `type ServiceToken struct{…}`
- `ID string`
The ID of the service token.
- `ClientID string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `Duration string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `ExpiresAt Time`
- `Name string`
The name of the service token.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.ServiceTokens.List(context.TODO(), zero_trust.AccessServiceTokenListParams{
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a service token
`client.ZeroTrust.Access.ServiceTokens.Get(ctx, serviceTokenID, query) (*ServiceToken, error)`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}`
Fetches a single service token.
### Parameters
- `serviceTokenID string`
UUID.
- `query AccessServiceTokenGetParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type ServiceToken struct{…}`
- `ID string`
The ID of the service token.
- `ClientID string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `Duration string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `ExpiresAt Time`
- `Name string`
The name of the service token.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
serviceToken, err := client.ZeroTrust.Access.ServiceTokens.Get(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessServiceTokenGetParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", serviceToken.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a service token
`client.ZeroTrust.Access.ServiceTokens.New(ctx, params) (*AccessServiceTokenNewResponse, error)`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens`
Generates a new service token. **Note:** This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token.
### Parameters
- `params AccessServiceTokenNewParams`
- `Name param.Field[string]`
Body param: The name of the service token.
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `ClientSecretVersion param.Field[float64]`
Body param: A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`.
- `Duration param.Field[string]`
Body param: The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `PreviousClientSecretExpiresAt param.Field[Time]`
Body param: The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise.
### Returns
- `type AccessServiceTokenNewResponse struct{…}`
- `ID string`
The ID of the service token.
- `ClientID string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `ClientSecret string`
The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header.
- `Duration string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `Name string`
The name of the service token.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
serviceToken, err := client.ZeroTrust.Access.ServiceTokens.New(context.TODO(), zero_trust.AccessServiceTokenNewParams{
Name: cloudflare.F("CI/CD token"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", serviceToken.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a service token
`client.ZeroTrust.Access.ServiceTokens.Update(ctx, serviceTokenID, params) (*ServiceToken, error)`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}`
Updates a configured service token.
### Parameters
- `serviceTokenID string`
UUID.
- `params AccessServiceTokenUpdateParams`
- `AccountID param.Field[string]`
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `ClientSecretVersion param.Field[float64]`
Body param: A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`.
- `Duration param.Field[string]`
Body param: The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `Name param.Field[string]`
Body param: The name of the service token.
- `PreviousClientSecretExpiresAt param.Field[Time]`
Body param: The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise.
### Returns
- `type ServiceToken struct{…}`
- `ID string`
The ID of the service token.
- `ClientID string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `Duration string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `ExpiresAt Time`
- `Name string`
The name of the service token.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
serviceToken, err := client.ZeroTrust.Access.ServiceTokens.Update(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessServiceTokenUpdateParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", serviceToken.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a service token
`client.ZeroTrust.Access.ServiceTokens.Delete(ctx, serviceTokenID, body) (*ServiceToken, error)`
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}`
Deletes a service token.
### Parameters
- `serviceTokenID string`
UUID.
- `body AccessServiceTokenDeleteParams`
- `AccountID param.Field[string]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `ZoneID param.Field[string]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `type ServiceToken struct{…}`
- `ID string`
The ID of the service token.
- `ClientID string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `Duration string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `ExpiresAt Time`
- `Name string`
The name of the service token.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
serviceToken, err := client.ZeroTrust.Access.ServiceTokens.Delete(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessServiceTokenDeleteParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", serviceToken.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Refresh a service token
`client.ZeroTrust.Access.ServiceTokens.Refresh(ctx, serviceTokenID, body) (*ServiceToken, error)`
**post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/refresh`
Refreshes the expiration of a service token.
### Parameters
- `serviceTokenID string`
UUID.
- `body AccessServiceTokenRefreshParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type ServiceToken struct{…}`
- `ID string`
The ID of the service token.
- `ClientID string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `Duration string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `ExpiresAt Time`
- `Name string`
The name of the service token.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
serviceToken, err := client.ZeroTrust.Access.ServiceTokens.Refresh(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessServiceTokenRefreshParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", serviceToken.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Rotate a service token
`client.ZeroTrust.Access.ServiceTokens.Rotate(ctx, serviceTokenID, params) (*AccessServiceTokenRotateResponse, error)`
**post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/rotate`
Generates a new Client Secret for a service token and revokes the old one.
### Parameters
- `serviceTokenID string`
UUID.
- `params AccessServiceTokenRotateParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `PreviousClientSecretExpiresAt param.Field[Time]`
Body param: The expiration of the previous `client_secret`. If not provided, it defaults to the current timestamp in order to immediately expire the previous secret.
### Returns
- `type AccessServiceTokenRotateResponse struct{…}`
- `ID string`
The ID of the service token.
- `ClientID string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `ClientSecret string`
The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header.
- `Duration string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `Name string`
The name of the service token.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
response, err := client.ZeroTrust.Access.ServiceTokens.Rotate(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessServiceTokenRotateParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", response.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Domain Types
### Service Token
- `type ServiceToken struct{…}`
- `ID string`
The ID of the service token.
- `ClientID string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `Duration string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `ExpiresAt Time`
- `Name string`
The name of the service token.
# Bookmarks
## List Bookmark applications
`client.ZeroTrust.Access.Bookmarks.List(ctx, query) (*SinglePage[Bookmark], error)`
**get** `/accounts/{account_id}/access/bookmarks`
Lists Bookmark applications.
### Parameters
- `query AccessBookmarkListParams`
- `AccountID param.Field[string]`
### Returns
- `type Bookmark struct{…}`
- `ID string`
The unique identifier for the Bookmark application.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `Domain string`
The domain of the Bookmark application.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the Bookmark application.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Bookmarks.List(context.TODO(), zero_trust.AccessBookmarkListParams{
AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "id",
"app_launcher_visible": true,
"created_at": "2014-01-01T05:20:00.12345Z",
"domain": "example.com",
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "My Website",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a Bookmark application
`client.ZeroTrust.Access.Bookmarks.Get(ctx, bookmarkID, query) (*Bookmark, error)`
**get** `/accounts/{account_id}/access/bookmarks/{bookmark_id}`
Fetches a single Bookmark application.
### Parameters
- `bookmarkID string`
UUID.
- `query AccessBookmarkGetParams`
- `AccountID param.Field[string]`
### Returns
- `type Bookmark struct{…}`
- `ID string`
The unique identifier for the Bookmark application.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `Domain string`
The domain of the Bookmark application.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the Bookmark application.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
bookmark, err := client.ZeroTrust.Access.Bookmarks.Get(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessBookmarkGetParams{
AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", bookmark.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"app_launcher_visible": true,
"created_at": "2014-01-01T05:20:00.12345Z",
"domain": "example.com",
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "My Website",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a Bookmark application
`client.ZeroTrust.Access.Bookmarks.New(ctx, bookmarkID, params) (*Bookmark, error)`
**post** `/accounts/{account_id}/access/bookmarks/{bookmark_id}`
Create a new Bookmark application.
### Parameters
- `bookmarkID string`
UUID.
- `params AccessBookmarkNewParams`
- `AccountID param.Field[string]`
Path param
- `Body param.Field[unknown]`
Body param
### Returns
- `type Bookmark struct{…}`
- `ID string`
The unique identifier for the Bookmark application.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `Domain string`
The domain of the Bookmark application.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the Bookmark application.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
bookmark, err := client.ZeroTrust.Access.Bookmarks.New(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessBookmarkNewParams{
AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"),
Body: map[string]interface{}{
},
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", bookmark.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"app_launcher_visible": true,
"created_at": "2014-01-01T05:20:00.12345Z",
"domain": "example.com",
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "My Website",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a Bookmark application
`client.ZeroTrust.Access.Bookmarks.Update(ctx, bookmarkID, params) (*Bookmark, error)`
**put** `/accounts/{account_id}/access/bookmarks/{bookmark_id}`
Updates a configured Bookmark application.
### Parameters
- `bookmarkID string`
UUID.
- `params AccessBookmarkUpdateParams`
- `AccountID param.Field[string]`
Path param
- `Body param.Field[unknown]`
Body param
### Returns
- `type Bookmark struct{…}`
- `ID string`
The unique identifier for the Bookmark application.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `Domain string`
The domain of the Bookmark application.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the Bookmark application.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
bookmark, err := client.ZeroTrust.Access.Bookmarks.Update(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessBookmarkUpdateParams{
AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"),
Body: map[string]interface{}{
},
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", bookmark.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"app_launcher_visible": true,
"created_at": "2014-01-01T05:20:00.12345Z",
"domain": "example.com",
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "My Website",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a Bookmark application
`client.ZeroTrust.Access.Bookmarks.Delete(ctx, bookmarkID, body) (*AccessBookmarkDeleteResponse, error)`
**delete** `/accounts/{account_id}/access/bookmarks/{bookmark_id}`
Deletes a Bookmark application.
### Parameters
- `bookmarkID string`
UUID.
- `body AccessBookmarkDeleteParams`
- `AccountID param.Field[string]`
### Returns
- `type AccessBookmarkDeleteResponse struct{…}`
- `ID string`
UUID.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
bookmark, err := client.ZeroTrust.Access.Bookmarks.Delete(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessBookmarkDeleteParams{
AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", bookmark.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Bookmark
- `type Bookmark struct{…}`
- `ID string`
The unique identifier for the Bookmark application.
- `AppLauncherVisible bool`
Displays the application in the App Launcher.
- `Domain string`
The domain of the Bookmark application.
- `LogoURL string`
The image URL for the logo shown in the App Launcher dashboard.
- `Name string`
The name of the Bookmark application.
# Keys
## Get the Access key configuration
`client.ZeroTrust.Access.Keys.Get(ctx, query) (*AccessKeyGetResponse, error)`
**get** `/accounts/{account_id}/access/keys`
Gets the Access key rotation settings for an account.
### Parameters
- `query AccessKeyGetParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessKeyGetResponse struct{…}`
- `DaysUntilNextRotation float64`
The number of days until the next key rotation.
- `KeyRotationIntervalDays float64`
The number of days between key rotations.
- `LastKeyRotationAt Time`
The timestamp of the previous key rotation.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
key, err := client.ZeroTrust.Access.Keys.Get(context.TODO(), zero_trust.AccessKeyGetParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", key.DaysUntilNextRotation)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"days_until_next_rotation": 1,
"key_rotation_interval_days": 30,
"last_key_rotation_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update the Access key configuration
`client.ZeroTrust.Access.Keys.Update(ctx, params) (*AccessKeyUpdateResponse, error)`
**put** `/accounts/{account_id}/access/keys`
Updates the Access key rotation settings for an account.
### Parameters
- `params AccessKeyUpdateParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `KeyRotationIntervalDays param.Field[float64]`
Body param: The number of days between key rotations.
### Returns
- `type AccessKeyUpdateResponse struct{…}`
- `DaysUntilNextRotation float64`
The number of days until the next key rotation.
- `KeyRotationIntervalDays float64`
The number of days between key rotations.
- `LastKeyRotationAt Time`
The timestamp of the previous key rotation.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
key, err := client.ZeroTrust.Access.Keys.Update(context.TODO(), zero_trust.AccessKeyUpdateParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
KeyRotationIntervalDays: cloudflare.F(30.000000),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", key.DaysUntilNextRotation)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"days_until_next_rotation": 1,
"key_rotation_interval_days": 30,
"last_key_rotation_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Rotate Access keys
`client.ZeroTrust.Access.Keys.Rotate(ctx, body) (*AccessKeyRotateResponse, error)`
**post** `/accounts/{account_id}/access/keys/rotate`
Perfoms a key rotation for an account.
### Parameters
- `body AccessKeyRotateParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessKeyRotateResponse struct{…}`
- `DaysUntilNextRotation float64`
The number of days until the next key rotation.
- `KeyRotationIntervalDays float64`
The number of days between key rotations.
- `LastKeyRotationAt Time`
The timestamp of the previous key rotation.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
response, err := client.ZeroTrust.Access.Keys.Rotate(context.TODO(), zero_trust.AccessKeyRotateParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", response.DaysUntilNextRotation)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"days_until_next_rotation": 1,
"key_rotation_interval_days": 30,
"last_key_rotation_at": "2014-01-01T05:20:00.12345Z"
}
}
```
# Logs
# Access Requests
## Get Access authentication logs
`client.ZeroTrust.Access.Logs.AccessRequests.List(ctx, params) (*[]AccessRequest, error)`
**get** `/accounts/{account_id}/access/logs/access_requests`
Gets a list of Access authentication audit logs for an account.
### Parameters
- `params AccessLogAccessRequestListParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `AllowedOp param.Field[AccessLogAccessRequestListParamsAllowedOp]`
Query param: Operator for the `allowed` filter.
- `const AccessLogAccessRequestListParamsAllowedOpEq AccessLogAccessRequestListParamsAllowedOp = "eq"`
- `const AccessLogAccessRequestListParamsAllowedOpNeq AccessLogAccessRequestListParamsAllowedOp = "neq"`
- `AppTypeOp param.Field[AccessLogAccessRequestListParamsAppTypeOp]`
Query param: Operator for the `app_type` filter.
- `const AccessLogAccessRequestListParamsAppTypeOpEq AccessLogAccessRequestListParamsAppTypeOp = "eq"`
- `const AccessLogAccessRequestListParamsAppTypeOpNeq AccessLogAccessRequestListParamsAppTypeOp = "neq"`
- `AppUIDOp param.Field[AccessLogAccessRequestListParamsAppUIDOp]`
Query param: Operator for the `app_uid` filter.
- `const AccessLogAccessRequestListParamsAppUIDOpEq AccessLogAccessRequestListParamsAppUIDOp = "eq"`
- `const AccessLogAccessRequestListParamsAppUIDOpNeq AccessLogAccessRequestListParamsAppUIDOp = "neq"`
- `CountryCodeOp param.Field[AccessLogAccessRequestListParamsCountryCodeOp]`
Query param: Operator for the `country_code` filter.
- `const AccessLogAccessRequestListParamsCountryCodeOpEq AccessLogAccessRequestListParamsCountryCodeOp = "eq"`
- `const AccessLogAccessRequestListParamsCountryCodeOpNeq AccessLogAccessRequestListParamsCountryCodeOp = "neq"`
- `Direction param.Field[AccessLogAccessRequestListParamsDirection]`
Query param: The chronological sorting order for the logs.
- `const AccessLogAccessRequestListParamsDirectionDesc AccessLogAccessRequestListParamsDirection = "desc"`
- `const AccessLogAccessRequestListParamsDirectionAsc AccessLogAccessRequestListParamsDirection = "asc"`
- `Email param.Field[string]`
Query param: Filter by user email. Defaults to substring matching. To force exact matching, set `email_exact=true`.
Example (default): `email=@example.com` returns all events with that domain.
Example (exact): `email=user@example.com&email_exact=true` returns only that user.
- `EmailExact param.Field[bool]`
Query param: When true, `email` is matched exactly instead of substring matching.
- `EmailOp param.Field[AccessLogAccessRequestListParamsEmailOp]`
Query param: Operator for the `email` filter.
- `const AccessLogAccessRequestListParamsEmailOpEq AccessLogAccessRequestListParamsEmailOp = "eq"`
- `const AccessLogAccessRequestListParamsEmailOpNeq AccessLogAccessRequestListParamsEmailOp = "neq"`
- `Fields param.Field[string]`
Query param: Comma-separated list of fields to include in the response.
When omitted, all fields are returned.
- `IdPOp param.Field[AccessLogAccessRequestListParamsIdPOp]`
Query param: Operator for the `idp` filter.
- `const AccessLogAccessRequestListParamsIdPOpEq AccessLogAccessRequestListParamsIdPOp = "eq"`
- `const AccessLogAccessRequestListParamsIdPOpNeq AccessLogAccessRequestListParamsIdPOp = "neq"`
- `Limit param.Field[int64]`
Query param: The maximum number of log entries to retrieve.
- `NonIdentityOp param.Field[AccessLogAccessRequestListParamsNonIdentityOp]`
Query param: Operator for the `non_identity` filter.
- `const AccessLogAccessRequestListParamsNonIdentityOpEq AccessLogAccessRequestListParamsNonIdentityOp = "eq"`
- `const AccessLogAccessRequestListParamsNonIdentityOpNeq AccessLogAccessRequestListParamsNonIdentityOp = "neq"`
- `Page param.Field[int64]`
Query param: Page number of results.
- `PerPage param.Field[int64]`
Query param: Number of results per page.
- `RayIDOp param.Field[AccessLogAccessRequestListParamsRayIDOp]`
Query param: Operator for the `ray_id` filter.
- `const AccessLogAccessRequestListParamsRayIDOpEq AccessLogAccessRequestListParamsRayIDOp = "eq"`
- `const AccessLogAccessRequestListParamsRayIDOpNeq AccessLogAccessRequestListParamsRayIDOp = "neq"`
- `Since param.Field[Time]`
Query param: The earliest event timestamp to query.
- `Until param.Field[Time]`
Query param: The latest event timestamp to query.
- `UserID param.Field[string]`
Query param: Filter by user UUID.
- `UserIDOp param.Field[AccessLogAccessRequestListParamsUserIDOp]`
Query param: Operator for the `user_id` filter.
- `const AccessLogAccessRequestListParamsUserIDOpEq AccessLogAccessRequestListParamsUserIDOp = "eq"`
- `const AccessLogAccessRequestListParamsUserIDOpNeq AccessLogAccessRequestListParamsUserIDOp = "neq"`
### Returns
- `type AccessLogAccessRequestListResponseEnvelopeResult []AccessRequest`
- `Action string`
The event that occurred, such as a login attempt.
- `Allowed bool`
The result of the authentication event.
- `AppDomain string`
The URL of the Access application.
- `AppUID string`
The unique identifier for the Access application.
- `Connection string`
The IdP used to authenticate.
- `CreatedAt Time`
- `IPAddress string`
The IP address of the authenticating user.
- `RayID string`
The unique identifier for the request to Cloudflare.
- `UserEmail string`
The email address of the authenticating user.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIKey("144c9defac04969c7bfad8efaa8ea194"),
option.WithAPIEmail("user@example.com"),
)
accessRequests, err := client.ZeroTrust.Access.Logs.AccessRequests.List(context.TODO(), zero_trust.AccessLogAccessRequestListParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", accessRequests)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"action": "login",
"allowed": true,
"app_domain": "test.example.com/admin",
"app_uid": "df7e2w5f-02b7-4d9d-af26-8d1988fca630",
"connection": "saml",
"created_at": "2014-01-01T05:20:00.12345Z",
"ip_address": "198.41.129.166",
"ray_id": "187d944c61940c77",
"user_email": "user@example.com"
}
]
}
```
# SCIM
## Domain Types
### Access Request
- `type AccessRequest struct{…}`
- `Action string`
The event that occurred, such as a login attempt.
- `Allowed bool`
The result of the authentication event.
- `AppDomain string`
The URL of the Access application.
- `AppUID string`
The unique identifier for the Access application.
- `Connection string`
The IdP used to authenticate.
- `CreatedAt Time`
- `IPAddress string`
The IP address of the authenticating user.
- `RayID string`
The unique identifier for the request to Cloudflare.
- `UserEmail string`
The email address of the authenticating user.
# Updates
## List Access SCIM update logs
`client.ZeroTrust.Access.Logs.SCIM.Updates.List(ctx, params) (*V4PagePaginationArray[AccessLogSCIMUpdateListResponse], error)`
**get** `/accounts/{account_id}/access/logs/scim/updates`
Lists Access SCIM update logs that maintain a record of updates made to User and Group resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM).
### Parameters
- `params AccessLogSCIMUpdateListParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `IdPID param.Field[[]string]`
Query param: The unique Id of the IdP that has SCIM enabled.
- `CfResourceID param.Field[string]`
Query param: The unique Cloudflare-generated Id of the SCIM resource.
- `Direction param.Field[AccessLogSCIMUpdateListParamsDirection]`
Query param: The chronological order used to sort the logs.
- `const AccessLogSCIMUpdateListParamsDirectionDesc AccessLogSCIMUpdateListParamsDirection = "desc"`
- `const AccessLogSCIMUpdateListParamsDirectionAsc AccessLogSCIMUpdateListParamsDirection = "asc"`
- `IdPResourceID param.Field[string]`
Query param: The IdP-generated Id of the SCIM resource.
- `Limit param.Field[int64]`
Query param: The maximum number of update logs to retrieve.
- `Page param.Field[int64]`
Query param: Page number of results.
- `PerPage param.Field[int64]`
Query param: Number of results per page.
- `RequestMethod param.Field[[]AccessLogSCIMUpdateListParamsRequestMethod]`
Query param: The request method of the SCIM request.
- `const AccessLogSCIMUpdateListParamsRequestMethodDelete AccessLogSCIMUpdateListParamsRequestMethod = "DELETE"`
- `const AccessLogSCIMUpdateListParamsRequestMethodPatch AccessLogSCIMUpdateListParamsRequestMethod = "PATCH"`
- `const AccessLogSCIMUpdateListParamsRequestMethodPost AccessLogSCIMUpdateListParamsRequestMethod = "POST"`
- `const AccessLogSCIMUpdateListParamsRequestMethodPut AccessLogSCIMUpdateListParamsRequestMethod = "PUT"`
- `ResourceGroupName param.Field[string]`
Query param: The display name of the SCIM Group resource.
- `ResourceType param.Field[[]AccessLogSCIMUpdateListParamsResourceType]`
Query param: The resource type of the SCIM request.
- `const AccessLogSCIMUpdateListParamsResourceTypeUser AccessLogSCIMUpdateListParamsResourceType = "USER"`
- `const AccessLogSCIMUpdateListParamsResourceTypeGroup AccessLogSCIMUpdateListParamsResourceType = "GROUP"`
- `ResourceUserEmail param.Field[string]`
Query param: The email address of the SCIM User resource.
- `Since param.Field[Time]`
Query param: the timestamp of the earliest update log.
- `Status param.Field[[]AccessLogSCIMUpdateListParamsStatus]`
Query param: The status of the SCIM request.
- `const AccessLogSCIMUpdateListParamsStatusFailure AccessLogSCIMUpdateListParamsStatus = "FAILURE"`
- `const AccessLogSCIMUpdateListParamsStatusSuccess AccessLogSCIMUpdateListParamsStatus = "SUCCESS"`
- `Until param.Field[Time]`
Query param: the timestamp of the most-recent update log.
### Returns
- `type AccessLogSCIMUpdateListResponse struct{…}`
- `CfResourceID string`
The unique Cloudflare-generated Id of the SCIM resource.
- `ErrorDescription string`
The error message which is generated when the status of the SCIM request is 'FAILURE'.
- `IdPID string`
The unique Id of the IdP that has SCIM enabled.
- `IdPResourceID string`
The IdP-generated Id of the SCIM resource.
- `LoggedAt Time`
- `RequestBody string`
The JSON-encoded string body of the SCIM request.
- `RequestMethod string`
The request method of the SCIM request.
- `ResourceGroupName string`
The display name of the SCIM Group resource if it exists.
- `ResourceType string`
The resource type of the SCIM request.
- `ResourceUserEmail string`
The email address of the SCIM User resource if it exists.
- `Status string`
The status of the SCIM request.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIKey("144c9defac04969c7bfad8efaa8ea194"),
option.WithAPIEmail("user@example.com"),
)
page, err := client.ZeroTrust.Access.Logs.SCIM.Updates.List(context.TODO(), zero_trust.AccessLogSCIMUpdateListParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
IdPID: cloudflare.F([]string{"df7e2w5f-02b7-4d9d-af26-8d1988fca630", "0194ae2c-efcf-7cfb-8884-055f1a161fa5"}),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"cf_resource_id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0",
"error_description": "Invalid JSON body",
"idp_id": "df7e2w5f-02b7-4d9d-af26-8d1988fca630",
"idp_resource_id": "all_employees",
"logged_at": "2014-01-01T05:20:00.12345Z",
"request_body": "{}}",
"request_method": "DELETE",
"resource_group_name": "ALL_EMPLOYEES",
"resource_type": "GROUP",
"resource_user_email": "john.smith@example.com",
"status": "FAILURE"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
# Users
## Get users
`client.ZeroTrust.Access.Users.List(ctx, params) (*V4PagePaginationArray[AccessUserListResponse], error)`
**get** `/accounts/{account_id}/access/users`
Gets a list of users for an account.
### Parameters
- `params AccessUserListParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `Email param.Field[string]`
Query param: The email of the user.
- `Name param.Field[string]`
Query param: The name of the user.
- `Page param.Field[int64]`
Query param: Page number of results.
- `PerPage param.Field[int64]`
Query param: Number of results per page.
- `Search param.Field[string]`
Query param: Search for users by other listed query parameters.
### Returns
- `type AccessUserListResponse struct{…}`
- `ID string`
UUID.
- `AccessSeat bool`
True if the user has authenticated with Cloudflare Access.
- `ActiveDeviceCount float64`
The number of active devices registered to the user.
- `CreatedAt Time`
- `Email string`
The email of the user.
- `GatewaySeat bool`
True if the user has logged into the WARP client.
- `LastSuccessfulLogin Time`
The time at which the user last successfully logged in.
- `Name string`
The name of the user.
- `SeatUID string`
The unique API identifier for the Zero Trust seat.
- `UID string`
The unique API identifier for the user.
- `UpdatedAt Time`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Users.List(context.TODO(), zero_trust.AccessUserListParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"access_seat": false,
"active_device_count": 2,
"created_at": "2014-01-01T05:20:00.12345Z",
"email": "jdoe@example.com",
"gateway_seat": false,
"last_successful_login": "2020-07-01T05:20:00Z",
"name": "Jane Doe",
"seat_uid": "seat_uid",
"uid": "uid",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 100,
"total_count": 1,
"total_pages": 100
}
}
```
## Get a user
`client.ZeroTrust.Access.Users.Get(ctx, userID, query) (*AccessUserGetResponse, error)`
**get** `/accounts/{account_id}/access/users/{user_id}`
Gets a specific user for an account.
### Parameters
- `userID string`
UUID.
- `query AccessUserGetParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessUserGetResponse struct{…}`
- `ID string`
UUID.
- `AccessSeat bool`
True if the user has authenticated with Cloudflare Access.
- `ActiveDeviceCount float64`
The number of active devices registered to the user.
- `CreatedAt Time`
- `Email string`
The email of the user.
- `GatewaySeat bool`
True if the user has logged into the WARP client.
- `LastSuccessfulLogin Time`
The time at which the user last successfully logged in.
- `Name string`
The name of the user.
- `SeatUID string`
The unique API identifier for the Zero Trust seat.
- `UID string`
The unique API identifier for the user.
- `UpdatedAt Time`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
user, err := client.ZeroTrust.Access.Users.Get(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessUserGetParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", user.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"access_seat": false,
"active_device_count": 2,
"created_at": "2014-01-01T05:20:00.12345Z",
"email": "jdoe@example.com",
"gateway_seat": false,
"last_successful_login": "2020-07-01T05:20:00Z",
"name": "Jane Doe",
"seat_uid": "seat_uid",
"uid": "uid",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a user
`client.ZeroTrust.Access.Users.New(ctx, params) (*AccessUserNewResponse, error)`
**post** `/accounts/{account_id}/access/users`
Creates a new user.
### Parameters
- `params AccessUserNewParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `Email param.Field[string]`
Body param: The email of the user.
- `Name param.Field[string]`
Body param: The name of the user.
### Returns
- `type AccessUserNewResponse struct{…}`
- `ID string`
UUID.
- `AccessSeat bool`
True if the user has authenticated with Cloudflare Access.
- `ActiveDeviceCount float64`
The number of active devices registered to the user.
- `CreatedAt Time`
- `Email string`
The email of the user.
- `GatewaySeat bool`
True if the user has logged into the WARP client.
- `LastSuccessfulLogin Time`
The time at which the user last successfully logged in.
- `Name string`
The name of the user.
- `SeatUID string`
The unique API identifier for the Zero Trust seat.
- `UID string`
The unique API identifier for the user.
- `UpdatedAt Time`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
user, err := client.ZeroTrust.Access.Users.New(context.TODO(), zero_trust.AccessUserNewParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
Email: cloudflare.F("jdoe@example.com"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", user.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"access_seat": false,
"active_device_count": 2,
"created_at": "2014-01-01T05:20:00.12345Z",
"email": "jdoe@example.com",
"gateway_seat": false,
"last_successful_login": "2020-07-01T05:20:00Z",
"name": "Jane Doe",
"seat_uid": "seat_uid",
"uid": "uid",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a user
`client.ZeroTrust.Access.Users.Update(ctx, userID, params) (*AccessUserUpdateResponse, error)`
**put** `/accounts/{account_id}/access/users/{user_id}`
Updates a specific user's name for an account. Requires the user's current email as confirmation (email cannot be changed).
### Parameters
- `userID string`
UUID.
- `params AccessUserUpdateParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `Email param.Field[string]`
Body param: The email of the user.
- `Name param.Field[string]`
Body param: The name of the user.
### Returns
- `type AccessUserUpdateResponse struct{…}`
- `ID string`
UUID.
- `AccessSeat bool`
True if the user has authenticated with Cloudflare Access.
- `ActiveDeviceCount float64`
The number of active devices registered to the user.
- `CreatedAt Time`
- `Email string`
The email of the user.
- `GatewaySeat bool`
True if the user has logged into the WARP client.
- `LastSuccessfulLogin Time`
The time at which the user last successfully logged in.
- `Name string`
The name of the user.
- `SeatUID string`
The unique API identifier for the Zero Trust seat.
- `UID string`
The unique API identifier for the user.
- `UpdatedAt Time`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
user, err := client.ZeroTrust.Access.Users.Update(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessUserUpdateParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
Email: cloudflare.F("jdoe@example.com"),
Name: cloudflare.F("Jane Doe"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", user.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"access_seat": false,
"active_device_count": 2,
"created_at": "2014-01-01T05:20:00.12345Z",
"email": "jdoe@example.com",
"gateway_seat": false,
"last_successful_login": "2020-07-01T05:20:00Z",
"name": "Jane Doe",
"seat_uid": "seat_uid",
"uid": "uid",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a user
`client.ZeroTrust.Access.Users.Delete(ctx, userID, body) (*AccessUserDeleteResponse, error)`
**delete** `/accounts/{account_id}/access/users/{user_id}`
Deletes a specific user for an account. This will also revoke any active seats and tokens for the user.
### Parameters
- `userID string`
UUID.
- `body AccessUserDeleteParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessUserDeleteResponse interface{…}`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
user, err := client.ZeroTrust.Access.Users.Delete(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessUserDeleteParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", user)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {}
}
```
## Domain Types
### Access User
- `type AccessUser struct{…}`
- `ID string`
The unique Cloudflare-generated Id of the SCIM resource.
- `Active bool`
Determines the status of the SCIM User resource.
- `DisplayName string`
The name of the SCIM User resource.
- `Emails []AccessUserEmail`
- `Primary bool`
Indicates if the email address is the primary email belonging to the SCIM User resource.
- `Type string`
Indicates the type of the email address.
- `Value string`
The email address of the SCIM User resource.
- `ExternalID string`
The IdP-generated Id of the SCIM resource.
- `Meta AccessUserMeta`
The metadata of the SCIM resource.
- `Created Time`
The timestamp of when the SCIM resource was created.
- `LastModified Time`
The timestamp of when the SCIM resource was last modified.
- `Schemas []string`
The list of URIs which indicate the attributes contained within a SCIM resource.
# Active Sessions
## Get active sessions
`client.ZeroTrust.Access.Users.ActiveSessions.List(ctx, userID, query) (*SinglePage[AccessUserActiveSessionListResponse], error)`
**get** `/accounts/{account_id}/access/users/{user_id}/active_sessions`
Get active sessions for a single user.
### Parameters
- `userID string`
UUID.
- `query AccessUserActiveSessionListParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessUserActiveSessionListResponse struct{…}`
- `Expiration int64`
- `Metadata AccessUserActiveSessionListResponseMetadata`
- `Apps map[string, AccessUserActiveSessionListResponseMetadataApp]`
- `Hostname string`
- `Name string`
- `Type string`
- `UID string`
- `Expires int64`
- `Iat int64`
- `Nonce string`
- `TTL int64`
- `Name string`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Users.ActiveSessions.List(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessUserActiveSessionListParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"expiration": 1694813506,
"metadata": {
"apps": {
"foo": {
"hostname": "test.example.com",
"name": "app name",
"type": "self_hosted",
"uid": "cc2a8145-0128-4429-87f3-872c4d380c4e"
}
},
"expires": 1694813506,
"iat": 1694791905,
"nonce": "X1aXj1lFVcqqyoXF",
"ttl": 21600
},
"name": "name"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get single active session
`client.ZeroTrust.Access.Users.ActiveSessions.Get(ctx, userID, nonce, query) (*AccessUserActiveSessionGetResponse, error)`
**get** `/accounts/{account_id}/access/users/{user_id}/active_sessions/{nonce}`
Get an active session for a single user.
### Parameters
- `userID string`
UUID.
- `nonce string`
- `query AccessUserActiveSessionGetParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessUserActiveSessionGetResponse struct{…}`
- `AccountID string`
- `AuthStatus string`
- `CommonName string`
- `DeviceID string`
- `DeviceSessions map[string, AccessUserActiveSessionGetResponseDeviceSession]`
- `LastAuthenticated float64`
- `DevicePosture map[string, AccessUserActiveSessionGetResponseDevicePosture]`
- `ID string`
- `Check AccessUserActiveSessionGetResponseDevicePostureCheck`
- `Exists bool`
- `Path string`
- `Data unknown`
- `Description string`
- `Error string`
- `RuleName string`
- `Success bool`
- `Timestamp string`
- `Type string`
- `Email string`
- `Geo UserPolicyCheckGeo`
- `Country string`
- `Iat float64`
- `IdP AccessUserActiveSessionGetResponseIdP`
- `ID string`
- `Type string`
- `IP string`
- `IsGateway bool`
- `IsWARP bool`
- `IsActive bool`
- `MTLSAuth AccessUserActiveSessionGetResponseMTLSAuth`
- `AuthStatus string`
- `CERTIssuerDn string`
- `CERTIssuerSki string`
- `CERTPresented bool`
- `CERTSerial string`
- `ServiceTokenID string`
- `ServiceTokenStatus bool`
- `UserUUID string`
- `Version float64`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
activeSession, err := client.ZeroTrust.Access.Users.ActiveSessions.Get(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"X1aXj1lFVcqqyoXF",
zero_trust.AccessUserActiveSessionGetParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", activeSession.AccountID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"account_id": "1234567890",
"auth_status": "NONE",
"common_name": "",
"device_id": "",
"device_sessions": {
"foo": {
"last_authenticated": 1638832687
}
},
"devicePosture": {
"foo": {
"id": "id",
"check": {
"exists": true,
"path": "path"
},
"data": {},
"description": "description",
"error": "error",
"rule_name": "rule_name",
"success": true,
"timestamp": "timestamp",
"type": "type"
}
},
"email": "test@cloudflare.com",
"geo": {
"country": "US"
},
"iat": 1694791905,
"idp": {
"id": "id",
"type": "type"
},
"ip": "127.0.0.0",
"is_gateway": false,
"is_warp": false,
"isActive": true,
"mtls_auth": {
"auth_status": "auth_status",
"cert_issuer_dn": "cert_issuer_dn",
"cert_issuer_ski": "cert_issuer_ski",
"cert_presented": true,
"cert_serial": "cert_serial"
},
"service_token_id": "",
"service_token_status": false,
"user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4",
"version": 2
}
}
```
# Last Seen Identity
## Get last seen identity
`client.ZeroTrust.Access.Users.LastSeenIdentity.Get(ctx, userID, query) (*Identity, error)`
**get** `/accounts/{account_id}/access/users/{user_id}/last_seen_identity`
Get last seen identity for a single user.
### Parameters
- `userID string`
UUID.
- `query AccessUserLastSeenIdentityGetParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type Identity struct{…}`
- `AccountID string`
- `AuthStatus string`
- `CommonName string`
- `DeviceID string`
- `DeviceSessions map[string, IdentityDeviceSession]`
- `LastAuthenticated float64`
- `DevicePosture map[string, IdentityDevicePosture]`
- `ID string`
- `Check IdentityDevicePostureCheck`
- `Exists bool`
- `Path string`
- `Data unknown`
- `Description string`
- `Error string`
- `RuleName string`
- `Success bool`
- `Timestamp string`
- `Type string`
- `Email string`
- `Geo UserPolicyCheckGeo`
- `Country string`
- `Iat float64`
- `IdP IdentityIdP`
- `ID string`
- `Type string`
- `IP string`
- `IsGateway bool`
- `IsWARP bool`
- `MTLSAuth IdentityMTLSAuth`
- `AuthStatus string`
- `CERTIssuerDn string`
- `CERTIssuerSki string`
- `CERTPresented bool`
- `CERTSerial string`
- `ServiceTokenID string`
- `ServiceTokenStatus bool`
- `UserUUID string`
- `Version float64`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
identity, err := client.ZeroTrust.Access.Users.LastSeenIdentity.Get(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessUserLastSeenIdentityGetParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", identity.AccountID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"account_id": "1234567890",
"auth_status": "NONE",
"common_name": "",
"device_id": "",
"device_sessions": {
"foo": {
"last_authenticated": 1638832687
}
},
"devicePosture": {
"foo": {
"id": "id",
"check": {
"exists": true,
"path": "path"
},
"data": {},
"description": "description",
"error": "error",
"rule_name": "rule_name",
"success": true,
"timestamp": "timestamp",
"type": "type"
}
},
"email": "test@cloudflare.com",
"geo": {
"country": "US"
},
"iat": 1694791905,
"idp": {
"id": "id",
"type": "type"
},
"ip": "127.0.0.0",
"is_gateway": false,
"is_warp": false,
"mtls_auth": {
"auth_status": "auth_status",
"cert_issuer_dn": "cert_issuer_dn",
"cert_issuer_ski": "cert_issuer_ski",
"cert_presented": true,
"cert_serial": "cert_serial"
},
"service_token_id": "",
"service_token_status": false,
"user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4",
"version": 2
}
}
```
## Domain Types
### Identity
- `type Identity struct{…}`
- `AccountID string`
- `AuthStatus string`
- `CommonName string`
- `DeviceID string`
- `DeviceSessions map[string, IdentityDeviceSession]`
- `LastAuthenticated float64`
- `DevicePosture map[string, IdentityDevicePosture]`
- `ID string`
- `Check IdentityDevicePostureCheck`
- `Exists bool`
- `Path string`
- `Data unknown`
- `Description string`
- `Error string`
- `RuleName string`
- `Success bool`
- `Timestamp string`
- `Type string`
- `Email string`
- `Geo UserPolicyCheckGeo`
- `Country string`
- `Iat float64`
- `IdP IdentityIdP`
- `ID string`
- `Type string`
- `IP string`
- `IsGateway bool`
- `IsWARP bool`
- `MTLSAuth IdentityMTLSAuth`
- `AuthStatus string`
- `CERTIssuerDn string`
- `CERTIssuerSki string`
- `CERTPresented bool`
- `CERTSerial string`
- `ServiceTokenID string`
- `ServiceTokenStatus bool`
- `UserUUID string`
- `Version float64`
# Failed Logins
## Get failed logins
`client.ZeroTrust.Access.Users.FailedLogins.List(ctx, userID, query) (*SinglePage[AccessUserFailedLoginListResponse], error)`
**get** `/accounts/{account_id}/access/users/{user_id}/failed_logins`
Get all failed login attempts for a single user.
### Parameters
- `userID string`
UUID.
- `query AccessUserFailedLoginListParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessUserFailedLoginListResponse struct{…}`
- `Expiration int64`
- `Metadata unknown`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Users.FailedLogins.List(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessUserFailedLoginListParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"expiration": 0,
"metadata": {
"app_name": "Test App",
"aud": "39691c1480a2352a18ece567debc2b32552686cbd38eec0887aa18d5d3f00c04",
"datetime": "2022-02-02T21:54:34.914Z",
"ray_id": "6d76a8a42ead4133",
"user_email": "test@cloudflare.com",
"user_uuid": "57171132-e453-4ee8-b2a5-8cbaad333207"
}
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
# Custom Pages
## List custom pages
`client.ZeroTrust.Access.CustomPages.List(ctx, params) (*V4PagePaginationArray[CustomPageWithoutHTML], error)`
**get** `/accounts/{account_id}/access/custom_pages`
List custom pages
### Parameters
- `params AccessCustomPageListParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `Page param.Field[int64]`
Query param: Page number of results.
- `PerPage param.Field[int64]`
Query param: Number of results per page.
### Returns
- `type CustomPageWithoutHTML struct{…}`
- `Name string`
Custom page name.
- `Type CustomPageWithoutHTMLType`
Custom page type.
- `const CustomPageWithoutHTMLTypeIdentityDenied CustomPageWithoutHTMLType = "identity_denied"`
- `const CustomPageWithoutHTMLTypeForbidden CustomPageWithoutHTMLType = "forbidden"`
- `UID string`
UUID.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.CustomPages.List(context.TODO(), zero_trust.AccessCustomPageListParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"name": "name",
"type": "identity_denied",
"app_count": 0,
"created_at": "2014-01-01T05:20:00.12345Z",
"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a custom page
`client.ZeroTrust.Access.CustomPages.Get(ctx, customPageID, query) (*CustomPage, error)`
**get** `/accounts/{account_id}/access/custom_pages/{custom_page_id}`
Fetches a custom page and also returns its HTML.
### Parameters
- `customPageID string`
UUID.
- `query AccessCustomPageGetParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type CustomPage struct{…}`
- `CustomHTML string`
Custom page HTML.
- `Name string`
Custom page name.
- `Type CustomPageType`
Custom page type.
- `const CustomPageTypeIdentityDenied CustomPageType = "identity_denied"`
- `const CustomPageTypeForbidden CustomPageType = "forbidden"`
- `UID string`
UUID.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
customPage, err := client.ZeroTrust.Access.CustomPages.Get(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessCustomPageGetParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", customPage.UID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"custom_html": "Access Denied
",
"name": "name",
"type": "identity_denied",
"app_count": 0,
"created_at": "2014-01-01T05:20:00.12345Z",
"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a custom page
`client.ZeroTrust.Access.CustomPages.New(ctx, params) (*CustomPageWithoutHTML, error)`
**post** `/accounts/{account_id}/access/custom_pages`
Create a custom page
### Parameters
- `params AccessCustomPageNewParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `CustomPage param.Field[CustomPage]`
Body param
### Returns
- `type CustomPageWithoutHTML struct{…}`
- `Name string`
Custom page name.
- `Type CustomPageWithoutHTMLType`
Custom page type.
- `const CustomPageWithoutHTMLTypeIdentityDenied CustomPageWithoutHTMLType = "identity_denied"`
- `const CustomPageWithoutHTMLTypeForbidden CustomPageWithoutHTMLType = "forbidden"`
- `UID string`
UUID.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
customPageWithoutHTML, err := client.ZeroTrust.Access.CustomPages.New(context.TODO(), zero_trust.AccessCustomPageNewParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
CustomPage: zero_trust.CustomPageParam{
CustomHTML: cloudflare.F("Access Denied
"),
Name: cloudflare.F("name"),
Type: cloudflare.F(zero_trust.CustomPageTypeIdentityDenied),
},
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", customPageWithoutHTML.UID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "name",
"type": "identity_denied",
"app_count": 0,
"created_at": "2014-01-01T05:20:00.12345Z",
"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a custom page
`client.ZeroTrust.Access.CustomPages.Update(ctx, customPageID, params) (*CustomPageWithoutHTML, error)`
**put** `/accounts/{account_id}/access/custom_pages/{custom_page_id}`
Update a custom page
### Parameters
- `customPageID string`
UUID.
- `params AccessCustomPageUpdateParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `CustomPage param.Field[CustomPage]`
Body param
### Returns
- `type CustomPageWithoutHTML struct{…}`
- `Name string`
Custom page name.
- `Type CustomPageWithoutHTMLType`
Custom page type.
- `const CustomPageWithoutHTMLTypeIdentityDenied CustomPageWithoutHTMLType = "identity_denied"`
- `const CustomPageWithoutHTMLTypeForbidden CustomPageWithoutHTMLType = "forbidden"`
- `UID string`
UUID.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
customPageWithoutHTML, err := client.ZeroTrust.Access.CustomPages.Update(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessCustomPageUpdateParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
CustomPage: zero_trust.CustomPageParam{
CustomHTML: cloudflare.F("Access Denied
"),
Name: cloudflare.F("name"),
Type: cloudflare.F(zero_trust.CustomPageTypeIdentityDenied),
},
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", customPageWithoutHTML.UID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "name",
"type": "identity_denied",
"app_count": 0,
"created_at": "2014-01-01T05:20:00.12345Z",
"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a custom page
`client.ZeroTrust.Access.CustomPages.Delete(ctx, customPageID, body) (*AccessCustomPageDeleteResponse, error)`
**delete** `/accounts/{account_id}/access/custom_pages/{custom_page_id}`
Delete a custom page
### Parameters
- `customPageID string`
UUID.
- `body AccessCustomPageDeleteParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessCustomPageDeleteResponse struct{…}`
- `ID string`
UUID.
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
customPage, err := client.ZeroTrust.Access.CustomPages.Delete(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessCustomPageDeleteParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", customPage.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Custom Page
- `type CustomPage struct{…}`
- `CustomHTML string`
Custom page HTML.
- `Name string`
Custom page name.
- `Type CustomPageType`
Custom page type.
- `const CustomPageTypeIdentityDenied CustomPageType = "identity_denied"`
- `const CustomPageTypeForbidden CustomPageType = "forbidden"`
- `UID string`
UUID.
### Custom Page Without HTML
- `type CustomPageWithoutHTML struct{…}`
- `Name string`
Custom page name.
- `Type CustomPageWithoutHTMLType`
Custom page type.
- `const CustomPageWithoutHTMLTypeIdentityDenied CustomPageWithoutHTMLType = "identity_denied"`
- `const CustomPageWithoutHTMLTypeForbidden CustomPageWithoutHTMLType = "forbidden"`
- `UID string`
UUID.
# Tags
## List tags
`client.ZeroTrust.Access.Tags.List(ctx, params) (*V4PagePaginationArray[Tag], error)`
**get** `/accounts/{account_id}/access/tags`
List tags
### Parameters
- `params AccessTagListParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `Page param.Field[int64]`
Query param: Page number of results.
- `PerPage param.Field[int64]`
Query param: Number of results per page.
### Returns
- `type Tag struct{…}`
A tag
- `Name string`
The name of the tag
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Tags.List(context.TODO(), zero_trust.AccessTagListParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"name": "engineers",
"app_count": 1,
"created_at": "2014-01-01T05:20:00.12345Z",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a tag
`client.ZeroTrust.Access.Tags.Get(ctx, tagName, query) (*Tag, error)`
**get** `/accounts/{account_id}/access/tags/{tag_name}`
Get a tag
### Parameters
- `tagName string`
The name of the tag
- `query AccessTagGetParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type Tag struct{…}`
A tag
- `Name string`
The name of the tag
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
tag, err := client.ZeroTrust.Access.Tags.Get(
context.TODO(),
"engineers",
zero_trust.AccessTagGetParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", tag.Name)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "engineers",
"app_count": 1,
"created_at": "2014-01-01T05:20:00.12345Z",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a tag
`client.ZeroTrust.Access.Tags.New(ctx, params) (*Tag, error)`
**post** `/accounts/{account_id}/access/tags`
Create a tag
### Parameters
- `params AccessTagNewParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `Name param.Field[string]`
Body param: The name of the tag
### Returns
- `type Tag struct{…}`
A tag
- `Name string`
The name of the tag
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
tag, err := client.ZeroTrust.Access.Tags.New(context.TODO(), zero_trust.AccessTagNewParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", tag.Name)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "engineers",
"app_count": 1,
"created_at": "2014-01-01T05:20:00.12345Z",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a tag
`client.ZeroTrust.Access.Tags.Update(ctx, tagName, params) (*Tag, error)`
**put** `/accounts/{account_id}/access/tags/{tag_name}`
Update a tag
### Parameters
- `tagName string`
The name of the tag
- `params AccessTagUpdateParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `Name param.Field[string]`
Body param: The name of the tag
### Returns
- `type Tag struct{…}`
A tag
- `Name string`
The name of the tag
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
tag, err := client.ZeroTrust.Access.Tags.Update(
context.TODO(),
"engineers",
zero_trust.AccessTagUpdateParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
Name: cloudflare.F("engineers"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", tag.Name)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "engineers",
"app_count": 1,
"created_at": "2014-01-01T05:20:00.12345Z",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a tag
`client.ZeroTrust.Access.Tags.Delete(ctx, tagName, body) (*AccessTagDeleteResponse, error)`
**delete** `/accounts/{account_id}/access/tags/{tag_name}`
Delete a tag
### Parameters
- `tagName string`
The name of the tag
- `body AccessTagDeleteParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessTagDeleteResponse struct{…}`
- `Name string`
The name of the tag
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
tag, err := client.ZeroTrust.Access.Tags.Delete(
context.TODO(),
"engineers",
zero_trust.AccessTagDeleteParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", tag.Name)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "engineers"
}
}
```
## Domain Types
### Tag
- `type Tag struct{…}`
A tag
- `Name string`
The name of the tag
# Policies
## List Access reusable policies
`client.ZeroTrust.Access.Policies.List(ctx, params) (*V4PagePaginationArray[AccessPolicyListResponse], error)`
**get** `/accounts/{account_id}/access/policies`
Lists Access reusable policies.
### Parameters
- `params AccessPolicyListParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `Page param.Field[int64]`
Query param: Page number of results.
- `PerPage param.Field[int64]`
Query param: Number of results per page.
### Returns
- `type AccessPolicyListResponse struct{…}`
- `ID string`
The UUID of the policy
- `AppCount int64`
Number of access applications currently using this policy.
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessPolicyListResponseConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessPolicyListResponseConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessPolicyListResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessPolicyListResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessPolicyListResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessPolicyListResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessPolicyListResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessPolicyListResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessPolicyListResponseMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessPolicyListResponseMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessPolicyListResponseMfaConfigAllowedAuthenticatorTotp AccessPolicyListResponseMfaConfigAllowedAuthenticator = "totp"`
- `const AccessPolicyListResponseMfaConfigAllowedAuthenticatorBiometrics AccessPolicyListResponseMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessPolicyListResponseMfaConfigAllowedAuthenticatorSecurityKey AccessPolicyListResponseMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Reusable AccessPolicyListResponseReusable`
- `const AccessPolicyListResponseReusableTrue AccessPolicyListResponseReusable = true`
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Policies.List(context.TODO(), zero_trust.AccessPolicyListParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"app_count": 2,
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"reusable": true,
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an Access reusable policy
`client.ZeroTrust.Access.Policies.Get(ctx, policyID, query) (*AccessPolicyGetResponse, error)`
**get** `/accounts/{account_id}/access/policies/{policy_id}`
Fetches a single Access reusable policy.
### Parameters
- `policyID string`
The UUID of the policy
- `query AccessPolicyGetParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessPolicyGetResponse struct{…}`
- `ID string`
The UUID of the policy
- `AppCount int64`
Number of access applications currently using this policy.
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessPolicyGetResponseConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessPolicyGetResponseConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessPolicyGetResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessPolicyGetResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessPolicyGetResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessPolicyGetResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessPolicyGetResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessPolicyGetResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessPolicyGetResponseMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessPolicyGetResponseMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessPolicyGetResponseMfaConfigAllowedAuthenticatorTotp AccessPolicyGetResponseMfaConfigAllowedAuthenticator = "totp"`
- `const AccessPolicyGetResponseMfaConfigAllowedAuthenticatorBiometrics AccessPolicyGetResponseMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessPolicyGetResponseMfaConfigAllowedAuthenticatorSecurityKey AccessPolicyGetResponseMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Reusable AccessPolicyGetResponseReusable`
- `const AccessPolicyGetResponseReusableTrue AccessPolicyGetResponseReusable = true`
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
policy, err := client.ZeroTrust.Access.Policies.Get(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessPolicyGetParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", policy.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"app_count": 2,
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"reusable": true,
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create an Access reusable policy
`client.ZeroTrust.Access.Policies.New(ctx, params) (*AccessPolicyNewResponse, error)`
**post** `/accounts/{account_id}/access/policies`
Creates a new Access reusable policy.
### Parameters
- `params AccessPolicyNewParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `Decision param.Field[Decision]`
Body param: The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Include param.Field[[]AccessRule]`
Body param: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Name param.Field[string]`
Body param: The name of the Access policy.
- `ApprovalGroups param.Field[[]ApprovalGroup]`
Body param: Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired param.Field[bool]`
Body param: Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules param.Field[AccessPolicyNewParamsConnectionRules]`
Body param: The rules that define how users may connect to targets secured by your application.
- `RDP AccessPolicyNewParamsConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `Exclude param.Field[[]AccessRule]`
Body param: Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired param.Field[bool]`
Body param: Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig param.Field[AccessPolicyNewParamsMfaConfig]`
Body param: Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessPolicyNewParamsMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessPolicyNewParamsMfaConfigAllowedAuthenticatorTotp AccessPolicyNewParamsMfaConfigAllowedAuthenticator = "totp"`
- `const AccessPolicyNewParamsMfaConfigAllowedAuthenticatorBiometrics AccessPolicyNewParamsMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessPolicyNewParamsMfaConfigAllowedAuthenticatorSecurityKey AccessPolicyNewParamsMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `PurposeJustificationPrompt param.Field[string]`
Body param: A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired param.Field[bool]`
Body param: Require users to enter a justification when they log in to the application.
- `Require param.Field[[]AccessRule]`
Body param: Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration param.Field[string]`
Body param: The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
### Returns
- `type AccessPolicyNewResponse struct{…}`
- `ID string`
The UUID of the policy
- `AppCount int64`
Number of access applications currently using this policy.
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessPolicyNewResponseConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessPolicyNewResponseConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessPolicyNewResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessPolicyNewResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessPolicyNewResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessPolicyNewResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessPolicyNewResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessPolicyNewResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessPolicyNewResponseMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessPolicyNewResponseMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessPolicyNewResponseMfaConfigAllowedAuthenticatorTotp AccessPolicyNewResponseMfaConfigAllowedAuthenticator = "totp"`
- `const AccessPolicyNewResponseMfaConfigAllowedAuthenticatorBiometrics AccessPolicyNewResponseMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessPolicyNewResponseMfaConfigAllowedAuthenticatorSecurityKey AccessPolicyNewResponseMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Reusable AccessPolicyNewResponseReusable`
- `const AccessPolicyNewResponseReusableTrue AccessPolicyNewResponseReusable = true`
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
policy, err := client.ZeroTrust.Access.Policies.New(context.TODO(), zero_trust.AccessPolicyNewParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
Decision: cloudflare.F(zero_trust.DecisionAllow),
Include: cloudflare.F([]zero_trust.AccessRuleUnionParam{zero_trust.GroupRuleParam{
Group: cloudflare.F(zero_trust.GroupRuleGroupParam{
ID: cloudflare.F("aa0a4aab-672b-4bdb-bc33-a59f1130a11f"),
}),
}}),
Name: cloudflare.F("Allow devs"),
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", policy.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"app_count": 2,
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"reusable": true,
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update an Access reusable policy
`client.ZeroTrust.Access.Policies.Update(ctx, policyID, params) (*AccessPolicyUpdateResponse, error)`
**put** `/accounts/{account_id}/access/policies/{policy_id}`
Updates a Access reusable policy.
### Parameters
- `policyID string`
The UUID of the policy
- `params AccessPolicyUpdateParams`
- `AccountID param.Field[string]`
Path param: Identifier.
- `Decision param.Field[Decision]`
Body param: The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `Include param.Field[[]AccessRule]`
Body param: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Name param.Field[string]`
Body param: The name of the Access policy.
- `ApprovalGroups param.Field[[]ApprovalGroup]`
Body param: Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired param.Field[bool]`
Body param: Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules param.Field[AccessPolicyUpdateParamsConnectionRules]`
Body param: The rules that define how users may connect to targets secured by your application.
- `RDP AccessPolicyUpdateParamsConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessPolicyUpdateParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessPolicyUpdateParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessPolicyUpdateParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessPolicyUpdateParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessPolicyUpdateParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessPolicyUpdateParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `Exclude param.Field[[]AccessRule]`
Body param: Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired param.Field[bool]`
Body param: Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig param.Field[AccessPolicyUpdateParamsMfaConfig]`
Body param: Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessPolicyUpdateParamsMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessPolicyUpdateParamsMfaConfigAllowedAuthenticatorTotp AccessPolicyUpdateParamsMfaConfigAllowedAuthenticator = "totp"`
- `const AccessPolicyUpdateParamsMfaConfigAllowedAuthenticatorBiometrics AccessPolicyUpdateParamsMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessPolicyUpdateParamsMfaConfigAllowedAuthenticatorSecurityKey AccessPolicyUpdateParamsMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `PurposeJustificationPrompt param.Field[string]`
Body param: A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired param.Field[bool]`
Body param: Require users to enter a justification when they log in to the application.
- `Require param.Field[[]AccessRule]`
Body param: Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `SessionDuration param.Field[string]`
Body param: The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
### Returns
- `type AccessPolicyUpdateResponse struct{…}`
- `ID string`
The UUID of the policy
- `AppCount int64`
Number of access applications currently using this policy.
- `ApprovalGroups []ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `ConnectionRules AccessPolicyUpdateResponseConnectionRules`
The rules that define how users may connect to targets secured by your application.
- `RDP AccessPolicyUpdateResponseConnectionRulesRDP`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `AllowedClipboardLocalToRemoteFormats []AccessPolicyUpdateResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `const AccessPolicyUpdateResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormatText AccessPolicyUpdateResponseConnectionRulesRDPAllowedClipboardLocalToRemoteFormat = "text"`
- `AllowedClipboardRemoteToLocalFormats []AccessPolicyUpdateResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `const AccessPolicyUpdateResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormatText AccessPolicyUpdateResponseConnectionRulesRDPAllowedClipboardRemoteToLocalFormat = "text"`
- `CreatedAt Time`
- `Decision Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `const DecisionAllow Decision = "allow"`
- `const DecisionDeny Decision = "deny"`
- `const DecisionNonIdentity Decision = "non_identity"`
- `const DecisionBypass Decision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `MfaConfig AccessPolicyUpdateResponseMfaConfig`
Configures multi-factor authentication (MFA) settings.
- `AllowedAuthenticators []AccessPolicyUpdateResponseMfaConfigAllowedAuthenticator`
Lists the MFA methods that users can authenticate with.
- `const AccessPolicyUpdateResponseMfaConfigAllowedAuthenticatorTotp AccessPolicyUpdateResponseMfaConfigAllowedAuthenticator = "totp"`
- `const AccessPolicyUpdateResponseMfaConfigAllowedAuthenticatorBiometrics AccessPolicyUpdateResponseMfaConfigAllowedAuthenticator = "biometrics"`
- `const AccessPolicyUpdateResponseMfaConfigAllowedAuthenticatorSecurityKey AccessPolicyUpdateResponseMfaConfigAllowedAuthenticator = "security_key"`
- `MfaDisabled bool`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `SessionDuration string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `Name string`
The name of the Access policy.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `Reusable AccessPolicyUpdateResponseReusable`
- `const AccessPolicyUpdateResponseReusableTrue AccessPolicyUpdateResponseReusable = true`
- `SessionDuration string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `UpdatedAt Time`
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
policy, err := client.ZeroTrust.Access.Policies.Update(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessPolicyUpdateParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
Decision: cloudflare.F(zero_trust.DecisionAllow),
Include: cloudflare.F([]zero_trust.AccessRuleUnionParam{zero_trust.GroupRuleParam{
Group: cloudflare.F(zero_trust.GroupRuleGroupParam{
ID: cloudflare.F("aa0a4aab-672b-4bdb-bc33-a59f1130a11f"),
}),
}}),
Name: cloudflare.F("Allow devs"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", policy.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"app_count": 2,
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"reusable": true,
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete an Access reusable policy
`client.ZeroTrust.Access.Policies.Delete(ctx, policyID, body) (*AccessPolicyDeleteResponse, error)`
**delete** `/accounts/{account_id}/access/policies/{policy_id}`
Deletes an Access reusable policy.
### Parameters
- `policyID string`
The UUID of the policy
- `body AccessPolicyDeleteParams`
- `AccountID param.Field[string]`
Identifier.
### Returns
- `type AccessPolicyDeleteResponse struct{…}`
- `ID string`
The UUID of the policy
### Example
```go
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
policy, err := client.ZeroTrust.Access.Policies.Delete(
context.TODO(),
"f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
zero_trust.AccessPolicyDeleteParams{
AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", policy.ID)
}
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Approval Group
- `type ApprovalGroup struct{…}`
A group of email addresses that can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []string`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
### Policy
- `type Policy struct{…}`
- `ID string`
UUID.
- `ApprovalGroups []PolicyApprovalGroup`
Administrators who can approve a temporary authentication request.
- `ApprovalsNeeded float64`
The number of approvals needed to obtain access.
- `EmailAddresses []unknown`
A list of emails that can approve the access request.
- `EmailListUUID string`
The UUID of an re-usable email list.
- `ApprovalRequired bool`
Requires the user to request access from an administrator at the start of each session.
- `CreatedAt Time`
- `Decision PolicyDecision`
The action Access will take if a user matches this policy.
- `const PolicyDecisionAllow PolicyDecision = "allow"`
- `const PolicyDecisionDeny PolicyDecision = "deny"`
- `const PolicyDecisionNonIdentity PolicyDecision = "non_identity"`
- `const PolicyDecisionBypass PolicyDecision = "bypass"`
- `Exclude []AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `Group GroupRuleGroup`
- `ID string`
The ID of a previously created Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken`
An empty object which matches on all service tokens.
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthContext AccessRuleAccessAuthContextRuleAuthContext`
- `ID string`
The ID of an Authentication context.
- `AcID string`
The ACID of an Authentication context.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `AuthMethod AuthenticationMethodRuleAuthMethod`
- `AuthMethod string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `AzureAD AzureGroupRuleAzureAD`
- `ID string`
The ID of an Azure group.
- `IdentityProviderID string`
The ID of your Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `Certificate CertificateRuleCertificate`
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `CommonName AccessRuleAccessCommonNameRuleCommonName`
- `CommonName string`
The common name to match.
- `type CountryRule struct{…}`
Matches a specific country
- `Geo CountryRuleGeo`
- `CountryCode string`
The country code that should be matched.
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `DevicePosture AccessDevicePostureRuleDevicePosture`
- `IntegrationUID string`
The ID of a device posture integration.
- `type DomainRule struct{…}`
Match an entire email domain.
- `EmailDomain DomainRuleEmailDomain`
- `Domain string`
The email domain to match.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `EmailList EmailListRuleEmailList`
- `ID string`
The ID of a previously created email list.
- `type EmailRule struct{…}`
Matches a specific email.
- `Email EmailRuleEmail`
- `Email string`
The email of the user.
- `type EveryoneRule struct{…}`
Matches everyone.
- `Everyone EveryoneRuleEveryone`
An empty object which matches on all users.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `ExternalEvaluation ExternalEvaluationRuleExternalEvaluation`
- `EvaluateURL string`
The API endpoint containing your business logic.
- `KeysURL string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `GitHubOrganization GitHubOrganizationRuleGitHubOrganization`
- `IdentityProviderID string`
The ID of your Github identity provider.
- `Name string`
The name of the organization.
- `Team string`
The name of the team
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `GSuite GSuiteGroupRuleGSuite`
- `Email string`
The email of the Google Workspace group.
- `IdentityProviderID string`
The ID of your Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod`
- `ID string`
The ID of an identity provider.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `IPList IPListRuleIPList`
- `ID string`
The ID of a previously created IP list.
- `type IPRule struct{…}`
Matches an IP address block.
- `IP IPRuleIP`
- `IP string`
An IPv4 or IPv6 CIDR block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `Okta OktaGroupRuleOkta`
- `IdentityProviderID string`
The ID of your Okta identity provider.
- `Name string`
The name of the Okta group.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `SAML SAMLGroupRuleSAML`
- `AttributeName string`
The name of the SAML attribute.
- `AttributeValue string`
The SAML attribute value to look for.
- `IdentityProviderID string`
The ID of your SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `OIDC AccessRuleAccessOIDCClaimRuleOIDC`
- `ClaimName string`
The name of the OIDC claim.
- `ClaimValue string`
The OIDC claim value to look for.
- `IdentityProviderID string`
The ID of your OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `ServiceToken ServiceTokenRuleServiceToken`
- `TokenID string`
The ID of a Service Token.
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken`
- `AppUID string`
The ID of an Access OIDC SaaS application
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore`
- `UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"`
- `const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"`
- `Include []AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `IsolationRequired bool`
Require this application to be served in an isolated browser for users matching this policy.
- `Name string`
The name of the Access policy.
- `Precedence int64`
The order of execution for this policy. Must be unique for each policy.
- `PurposeJustificationPrompt string`
A custom message that will appear on the purpose justification screen.
- `PurposeJustificationRequired bool`
Require users to enter a justification when they log in to the application.
- `Require []AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `type GroupRule struct{…}`
Matches an Access group.
- `type AnyValidServiceTokenRule struct{…}`
Matches any valid Access Service Token
- `type AccessRuleAccessAuthContextRule struct{…}`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `type AuthenticationMethodRule struct{…}`
Enforce different MFA options
- `type AzureGroupRule struct{…}`
Matches an Azure group.
Requires an Azure identity provider.
- `type CertificateRule struct{…}`
Matches any valid client certificate.
- `type AccessRuleAccessCommonNameRule struct{…}`
Matches a specific common name.
- `type CountryRule struct{…}`
Matches a specific country
- `type AccessDevicePostureRule struct{…}`
Enforces a device posture rule has run successfully
- `type DomainRule struct{…}`
Match an entire email domain.
- `type EmailListRule struct{…}`
Matches an email address from a list.
- `type EmailRule struct{…}`
Matches a specific email.
- `type EveryoneRule struct{…}`
Matches everyone.
- `type ExternalEvaluationRule struct{…}`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `type GitHubOrganizationRule struct{…}`
Matches a Github organization.
Requires a Github identity provider.
- `type GSuiteGroupRule struct{…}`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `type AccessRuleAccessLoginMethodRule struct{…}`
Matches a specific identity provider id.
- `type IPListRule struct{…}`
Matches an IP address from a list.
- `type IPRule struct{…}`
Matches an IP address block.
- `type OktaGroupRule struct{…}`
Matches an Okta group.
Requires an Okta identity provider.
- `type SAMLGroupRule struct{…}`
Matches a SAML group.
Requires a SAML identity provider.
- `type AccessRuleAccessOIDCClaimRule struct{…}`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `type ServiceTokenRule struct{…}`
Matches a specific Access Service Token
- `type AccessRuleAccessLinkedAppTokenRule struct{…}`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `type AccessRuleAccessUserRiskScoreRule struct{…}`
Matches a user's risk score.
- `UpdatedAt Time`