Applications

List Access applications

client.ZeroTrust.Access.Applications.List(ctx, params) (*V4PagePaginationArray[AccessApplicationListResponse], error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps

Get an Access application

client.ZeroTrust.Access.Applications.Get(ctx, appID, query) (*AccessApplicationGetResponse, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}

Add an Access application

client.ZeroTrust.Access.Applications.New(ctx, params) (*AccessApplicationNewResponse, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/apps

Update an Access application

client.ZeroTrust.Access.Applications.Update(ctx, appID, params) (*AccessApplicationUpdateResponse, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}

Delete an Access application

client.ZeroTrust.Access.Applications.Delete(ctx, appID, body) (*AccessApplicationDeleteResponse, error)

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}

Revoke application tokens

client.ZeroTrust.Access.Applications.RevokeTokens(ctx, appID, body) (*AccessApplicationRevokeTokensResponse, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/revoke_tokens

ModelsExpand Collapse

type AllowedHeaders string

type AllowedIdPs string

The identity providers selected for application.

type AllowedMethods string

One of the following:

const AllowedMethodsGet AllowedMethods = "GET"

const AllowedMethodsPost AllowedMethods = "POST"

const AllowedMethodsHead AllowedMethods = "HEAD"

const AllowedMethodsPut AllowedMethods = "PUT"

const AllowedMethodsDelete AllowedMethods = "DELETE"

const AllowedMethodsConnect AllowedMethods = "CONNECT"

const AllowedMethodsOptions AllowedMethods = "OPTIONS"

const AllowedMethodsTrace AllowedMethods = "TRACE"

const AllowedMethodsPatch AllowedMethods = "PATCH"

type AllowedOrigins string

type AppID string

Identifier.

type Application interface{…}

One of the following:

ApplicationSelfHostedApplication

Domain string

The domain and path that Access will secure.

Type string

The application type.

ID stringoptional

UUID.

maxLength36

AllowIframe booloptional

Enables loading application content in an iFrame.

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AppLauncherVisible booloptional

Displays the application in the App Launcher.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CORSHeaders ApplicationSelfHostedApplicationCORSHeadersoptional

AllowAllHeaders booloptional

Allows all HTTP request headers.

AllowAllMethods booloptional

Allows all HTTP request methods.

AllowAllOrigins booloptional

Allows all origins.

AllowCredentials booloptional

When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.

AllowedHeaders []unknownoptional

Allowed HTTP request headers.

AllowedMethods []AllowedMethodsoptional

Allowed HTTP request methods.

One of the following:

const AllowedMethodsGet AllowedMethods = "GET"

const AllowedMethodsPost AllowedMethods = "POST"

const AllowedMethodsHead AllowedMethods = "HEAD"

const AllowedMethodsPut AllowedMethods = "PUT"

const AllowedMethodsDelete AllowedMethods = "DELETE"

const AllowedMethodsConnect AllowedMethods = "CONNECT"

const AllowedMethodsOptions AllowedMethods = "OPTIONS"

const AllowedMethodsTrace AllowedMethods = "TRACE"

const AllowedMethodsPatch AllowedMethods = "PATCH"

AllowedOrigins []unknownoptional

Allowed origins.

MaxAge float64optional

The maximum number of seconds the results of a preflight request can be cached.

maximum86400

minimum-1

CreatedAt Timeoptional

formatdate-time

CustomDenyMessage stringoptional

The custom error message shown to a user when they are denied access to the application.

CustomDenyURL stringoptional

The custom URL a user is redirected to when they are denied access to the application.

EnableBindingCookie booloptional

Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.

HTTPOnlyCookieAttribute booloptional

Enables the HttpOnly cookie attribute, which increases security against XSS attacks.

LogoURL stringoptional

The image URL for the logo shown in the App Launcher dashboard.

Name stringoptional

The name of the application.

OptionsPreflightBypass booloptional

Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.

SameSiteCookieAttribute stringoptional

Sets the SameSite cookie setting, which provides increased security against CSRF attacks.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

ServiceAuth401Redirect booloptional

Returns a 401 status code when the request is blocked by a Service Auth policy.

SessionDuration stringoptional

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

SkipInterstitial booloptional

Enables automatic authentication through cloudflared.

UpdatedAt Timeoptional

formatdate-time

UseClientlessIsolationAppLauncherURL booloptional

Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.

ApplicationSaaSApplication

ID stringoptional

UUID.

maxLength36

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AppLauncherVisible booloptional

Displays the application in the App Launcher.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CreatedAt Timeoptional

formatdate-time

LogoURL stringoptional

The image URL for the logo shown in the App Launcher dashboard.

Name stringoptional

The name of the application.

SaaSApp ApplicationSaaSApplicationSaaSAppoptional

One of the following:

ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSApp

AuthType ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthTypeoptional

Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is “saml”

One of the following:

const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthTypeSAML ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthType = "saml"

const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthTypeOIDC ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthType = "oidc"

ConsumerServiceURL stringoptional

The service provider’s endpoint that is responsible for receiving and parsing a SAML assertion.

CreatedAt Timeoptional

formatdate-time

CustomAttributes []ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributeoptional

FriendlyName stringoptional

The SAML FriendlyName of the attribute.

Name stringoptional

The name of the attribute.

NameFormat ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatoptional

A globally unique name for an identity or service provider.

One of the following:

const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"

const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"

const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

Required booloptional

If the attribute is required when building a SAML assertion.

Source ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesSourceoptional

Name stringoptional

The name of the IdP attribute.

NameByIdP map[string, string]optional

A mapping from IdP ID to attribute name.

IdPEntityID stringoptional

The unique identifier for your SaaS application.

NameIDFormat SaaSAppNameIDFormatoptional

The format of the name identifier sent to the SaaS application.

NameIDTransformJsonata stringoptional

A JSONata expression that transforms an application’s user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.

PublicKey stringoptional

The Access public certificate that will be used to verify your identity.

SPEntityID stringoptional

A globally unique name for an identity or service provider.

SSOEndpoint stringoptional

The endpoint where your SaaS application will send login requests.

UpdatedAt Timeoptional

formatdate-time

ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSApp

AccessTokenLifetime stringoptional

The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.

AllowPKCEWithoutClientSecret booloptional

If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.

AppLauncherURL stringoptional

The URL where this applications tile redirects users

AuthType ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthTypeoptional

Identifier of the authentication protocol used for the saas app. Required for OIDC.

One of the following:

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthTypeSAML ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthType = "saml"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthTypeOIDC ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthType = "oidc"

ClientID stringoptional

The application client id

ClientSecret stringoptional

The application client secret, only returned on POST request.

CreatedAt Timeoptional

formatdate-time

CustomClaims []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimoptional

Name stringoptional

The name of the claim.

Required booloptional

If the claim is required when building an OIDC token.

Scope ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeoptional

The scope of the claim.

One of the following:

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeGroups ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "groups"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeProfile ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "profile"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeEmail ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "email"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeOpenid ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "openid"

Source ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsSourceoptional

Name stringoptional

The name of the IdP claim.

NameByIdP []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsSourceNameByIdPoptional

A mapping from IdP ID to attribute name.

IdPID stringoptional

The UID of the IdP.

SourceName stringoptional

The name of the IdP provided attribute.

GrantTypes []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeoptional

The OIDC flows supported by this application

One of the following:

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeAuthorizationCode ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "authorization_code"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "authorization_code_with_pkce"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeRefreshTokens ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "refresh_tokens"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeHybrid ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "hybrid"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeImplicit ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "implicit"

GroupFilterRegex stringoptional

A regex to filter Cloudflare groups returned in ID token and userinfo endpoint.

HybridAndImplicitOptions ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppHybridAndImplicitOptionsoptional

ReturnAccessTokenFromAuthorizationEndpoint booloptional

If an Access Token should be returned from the OIDC Authorization endpoint

ReturnIDTokenFromAuthorizationEndpoint booloptional

If an ID Token should be returned from the OIDC Authorization endpoint

PublicKey stringoptional

The Access public certificate that will be used to verify your identity.

RedirectURIs []stringoptional

The permitted URL’s for Cloudflare to return Authorization codes and Access/ID tokens

RefreshTokenOptions ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppRefreshTokenOptionsoptional

Lifetime stringoptional

How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.

Scopes []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeoptional

Define the user information shared with access, “offline_access” scope will be automatically enabled if refresh tokens are enabled

One of the following:

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeOpenid ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "openid"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeGroups ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "groups"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeEmail ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "email"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeProfile ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "profile"

UpdatedAt Timeoptional

formatdate-time

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

Type stringoptional

The application type.

UpdatedAt Timeoptional

formatdate-time

ApplicationBrowserSSHApplication

Domain string

The domain and path that Access will secure.

Type string

The application type.

ID stringoptional

UUID.

maxLength36

AllowIframe booloptional

Enables loading application content in an iFrame.

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AppLauncherVisible booloptional

Displays the application in the App Launcher.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CORSHeaders ApplicationBrowserSSHApplicationCORSHeadersoptional

AllowAllHeaders booloptional

Allows all HTTP request headers.

AllowAllMethods booloptional

Allows all HTTP request methods.

AllowAllOrigins booloptional

Allows all origins.

AllowCredentials booloptional

When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.

AllowedHeaders []unknownoptional

Allowed HTTP request headers.

AllowedMethods []AllowedMethodsoptional

Allowed HTTP request methods.

One of the following:

const AllowedMethodsGet AllowedMethods = "GET"

const AllowedMethodsPost AllowedMethods = "POST"

const AllowedMethodsHead AllowedMethods = "HEAD"

const AllowedMethodsPut AllowedMethods = "PUT"

const AllowedMethodsDelete AllowedMethods = "DELETE"

const AllowedMethodsConnect AllowedMethods = "CONNECT"

const AllowedMethodsOptions AllowedMethods = "OPTIONS"

const AllowedMethodsTrace AllowedMethods = "TRACE"

const AllowedMethodsPatch AllowedMethods = "PATCH"

AllowedOrigins []unknownoptional

Allowed origins.

MaxAge float64optional

The maximum number of seconds the results of a preflight request can be cached.

maximum86400

minimum-1

CreatedAt Timeoptional

formatdate-time

CustomDenyMessage stringoptional

The custom error message shown to a user when they are denied access to the application.

CustomDenyURL stringoptional

The custom URL a user is redirected to when they are denied access to the application.

EnableBindingCookie booloptional

Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.

HTTPOnlyCookieAttribute booloptional

Enables the HttpOnly cookie attribute, which increases security against XSS attacks.

LogoURL stringoptional

The image URL for the logo shown in the App Launcher dashboard.

Name stringoptional

The name of the application.

OptionsPreflightBypass booloptional

Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.

SameSiteCookieAttribute stringoptional

Sets the SameSite cookie setting, which provides increased security against CSRF attacks.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

ServiceAuth401Redirect booloptional

Returns a 401 status code when the request is blocked by a Service Auth policy.

SessionDuration stringoptional

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

SkipInterstitial booloptional

Enables automatic authentication through cloudflared.

UpdatedAt Timeoptional

formatdate-time

UseClientlessIsolationAppLauncherURL booloptional

ApplicationBrowserVNCApplication

Domain string

The domain and path that Access will secure.

Type string

The application type.

ID stringoptional

UUID.

maxLength36

AllowIframe booloptional

Enables loading application content in an iFrame.

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AppLauncherVisible booloptional

Displays the application in the App Launcher.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CORSHeaders ApplicationBrowserVNCApplicationCORSHeadersoptional

AllowAllHeaders booloptional

Allows all HTTP request headers.

AllowAllMethods booloptional

Allows all HTTP request methods.

AllowAllOrigins booloptional

Allows all origins.

AllowCredentials booloptional

When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.

AllowedHeaders []unknownoptional

Allowed HTTP request headers.

AllowedMethods []AllowedMethodsoptional

Allowed HTTP request methods.

One of the following:

const AllowedMethodsGet AllowedMethods = "GET"

const AllowedMethodsPost AllowedMethods = "POST"

const AllowedMethodsHead AllowedMethods = "HEAD"

const AllowedMethodsPut AllowedMethods = "PUT"

const AllowedMethodsDelete AllowedMethods = "DELETE"

const AllowedMethodsConnect AllowedMethods = "CONNECT"

const AllowedMethodsOptions AllowedMethods = "OPTIONS"

const AllowedMethodsTrace AllowedMethods = "TRACE"

const AllowedMethodsPatch AllowedMethods = "PATCH"

AllowedOrigins []unknownoptional

Allowed origins.

MaxAge float64optional

The maximum number of seconds the results of a preflight request can be cached.

maximum86400

minimum-1

CreatedAt Timeoptional

formatdate-time

CustomDenyMessage stringoptional

The custom error message shown to a user when they are denied access to the application.

CustomDenyURL stringoptional

The custom URL a user is redirected to when they are denied access to the application.

EnableBindingCookie booloptional

Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.

HTTPOnlyCookieAttribute booloptional

Enables the HttpOnly cookie attribute, which increases security against XSS attacks.

LogoURL stringoptional

The image URL for the logo shown in the App Launcher dashboard.

Name stringoptional

The name of the application.

OptionsPreflightBypass booloptional

Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.

SameSiteCookieAttribute stringoptional

Sets the SameSite cookie setting, which provides increased security against CSRF attacks.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

ServiceAuth401Redirect booloptional

Returns a 401 status code when the request is blocked by a Service Auth policy.

SessionDuration stringoptional

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

SkipInterstitial booloptional

Enables automatic authentication through cloudflared.

UpdatedAt Timeoptional

formatdate-time

UseClientlessIsolationAppLauncherURL booloptional

ApplicationAppLauncherApplication

Type ApplicationAppLauncherApplicationType

The application type.

One of the following:

const ApplicationAppLauncherApplicationTypeSelfHosted ApplicationAppLauncherApplicationType = "self_hosted"

const ApplicationAppLauncherApplicationTypeSaaS ApplicationAppLauncherApplicationType = "saas"

const ApplicationAppLauncherApplicationTypeSSH ApplicationAppLauncherApplicationType = "ssh"

const ApplicationAppLauncherApplicationTypeVNC ApplicationAppLauncherApplicationType = "vnc"

const ApplicationAppLauncherApplicationTypeAppLauncher ApplicationAppLauncherApplicationType = "app_launcher"

const ApplicationAppLauncherApplicationTypeWARP ApplicationAppLauncherApplicationType = "warp"

const ApplicationAppLauncherApplicationTypeBISO ApplicationAppLauncherApplicationType = "biso"

const ApplicationAppLauncherApplicationTypeBookmark ApplicationAppLauncherApplicationType = "bookmark"

const ApplicationAppLauncherApplicationTypeDashSSO ApplicationAppLauncherApplicationType = "dash_sso"

ID stringoptional

UUID.

maxLength36

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CreatedAt Timeoptional

formatdate-time

Domain stringoptional

The domain and path that Access will secure.

Name stringoptional

The name of the application.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

SessionDuration stringoptional

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

UpdatedAt Timeoptional

formatdate-time

ApplicationDeviceEnrollmentPermissionsApplication

Type ApplicationDeviceEnrollmentPermissionsApplicationType

The application type.

One of the following:

const ApplicationDeviceEnrollmentPermissionsApplicationTypeSelfHosted ApplicationDeviceEnrollmentPermissionsApplicationType = "self_hosted"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeSaaS ApplicationDeviceEnrollmentPermissionsApplicationType = "saas"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeSSH ApplicationDeviceEnrollmentPermissionsApplicationType = "ssh"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeVNC ApplicationDeviceEnrollmentPermissionsApplicationType = "vnc"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeAppLauncher ApplicationDeviceEnrollmentPermissionsApplicationType = "app_launcher"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeWARP ApplicationDeviceEnrollmentPermissionsApplicationType = "warp"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeBISO ApplicationDeviceEnrollmentPermissionsApplicationType = "biso"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeBookmark ApplicationDeviceEnrollmentPermissionsApplicationType = "bookmark"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeDashSSO ApplicationDeviceEnrollmentPermissionsApplicationType = "dash_sso"

ID stringoptional

UUID.

maxLength36

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CreatedAt Timeoptional

formatdate-time

Domain stringoptional

The domain and path that Access will secure.

Name stringoptional

The name of the application.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

SessionDuration stringoptional

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

UpdatedAt Timeoptional

formatdate-time

ApplicationBrowserIsolationPermissionsApplication

Type ApplicationBrowserIsolationPermissionsApplicationType

The application type.

One of the following:

const ApplicationBrowserIsolationPermissionsApplicationTypeSelfHosted ApplicationBrowserIsolationPermissionsApplicationType = "self_hosted"

const ApplicationBrowserIsolationPermissionsApplicationTypeSaaS ApplicationBrowserIsolationPermissionsApplicationType = "saas"

const ApplicationBrowserIsolationPermissionsApplicationTypeSSH ApplicationBrowserIsolationPermissionsApplicationType = "ssh"

const ApplicationBrowserIsolationPermissionsApplicationTypeVNC ApplicationBrowserIsolationPermissionsApplicationType = "vnc"

const ApplicationBrowserIsolationPermissionsApplicationTypeAppLauncher ApplicationBrowserIsolationPermissionsApplicationType = "app_launcher"

const ApplicationBrowserIsolationPermissionsApplicationTypeWARP ApplicationBrowserIsolationPermissionsApplicationType = "warp"

const ApplicationBrowserIsolationPermissionsApplicationTypeBISO ApplicationBrowserIsolationPermissionsApplicationType = "biso"

const ApplicationBrowserIsolationPermissionsApplicationTypeBookmark ApplicationBrowserIsolationPermissionsApplicationType = "bookmark"

const ApplicationBrowserIsolationPermissionsApplicationTypeDashSSO ApplicationBrowserIsolationPermissionsApplicationType = "dash_sso"

ID stringoptional

UUID.

maxLength36

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CreatedAt Timeoptional

formatdate-time

Domain stringoptional

The domain and path that Access will secure.

Name stringoptional

The name of the application.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

SessionDuration stringoptional

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

UpdatedAt Timeoptional

formatdate-time

ApplicationBookmarkApplication

Domain string

The URL or domain of the bookmark.

Type string

The application type.

ID stringoptional

UUID.

maxLength36

AppLauncherVisible unknownoptional

AUD stringoptional

Audience tag.

maxLength64

CreatedAt Timeoptional

formatdate-time

LogoURL stringoptional

The image URL for the logo shown in the App Launcher dashboard.

Name stringoptional

The name of the application.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

UpdatedAt Timeoptional

formatdate-time

type ApplicationPolicy struct{…}

ID stringoptional

The UUID of the policy

maxLength36

ApprovalGroups []ApprovalGroupoptional

Administrators who can approve a temporary authentication request.

ApprovalsNeeded float64

The number of approvals needed to obtain access.

minimum0

EmailAddresses []stringoptional

A list of emails that can approve the access request.

EmailListUUID stringoptional

The UUID of an re-usable email list.

ApprovalRequired booloptional

Requires the user to request access from an administrator at the start of each session.

ConnectionRules ApplicationPolicyConnectionRulesoptional

The rules that define how users may connect to targets secured by your application.

RDP ApplicationPolicyConnectionRulesRDPoptional

The RDP-specific rules that define clipboard behavior for RDP connections.

AllowedClipboardLocalToRemoteFormats []ApplicationPolicyConnectionRulesRDPAllowedClipboardLocalToRemoteFormatoptional

Clipboard formats allowed when copying from local machine to remote RDP session.

AllowedClipboardRemoteToLocalFormats []ApplicationPolicyConnectionRulesRDPAllowedClipboardRemoteToLocalFormatoptional

Clipboard formats allowed when copying from remote RDP session to local machine.

CreatedAt Timeoptional

formatdate-time

Decision Decisionoptional

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

Exclude []AccessRuleoptional

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

One of the following:

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type AccessRuleAccessCommonNameRule struct{…}

Matches a specific common name.

CommonName AccessRuleAccessCommonNameRuleCommonName

CommonName string

The common name to match.

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringoptional

The name of the team

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type AccessRuleAccessLoginMethodRule struct{…}

Matches a specific identity provider id.

LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod

ID string

The ID of an identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type AccessRuleAccessOIDCClaimRule struct{…}

Matches an OIDC claim. Requires an OIDC identity provider.

OIDC AccessRuleAccessOIDCClaimRuleOIDC

ClaimName string

The name of the OIDC claim.

ClaimValue string

The OIDC claim value to look for.

IdentityProviderID string

The ID of your OIDC identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

type AccessRuleAccessLinkedAppTokenRule struct{…}

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken

AppUID string

The ID of an Access OIDC SaaS application

type AccessRuleAccessUserRiskScoreRule struct{…}

Matches a user’s risk score.

UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore

UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"

Include []AccessRuleoptional

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type AccessRuleAccessCommonNameRule struct{…}

Matches a specific common name.

CommonName AccessRuleAccessCommonNameRuleCommonName

CommonName string

The common name to match.

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringoptional

The name of the team

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type AccessRuleAccessLoginMethodRule struct{…}

Matches a specific identity provider id.

LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod

ID string

The ID of an identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type AccessRuleAccessOIDCClaimRule struct{…}

Matches an OIDC claim. Requires an OIDC identity provider.

OIDC AccessRuleAccessOIDCClaimRuleOIDC

ClaimName string

The name of the OIDC claim.

ClaimValue string

The OIDC claim value to look for.

IdentityProviderID string

The ID of your OIDC identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

type AccessRuleAccessLinkedAppTokenRule struct{…}

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken

AppUID string

The ID of an Access OIDC SaaS application

type AccessRuleAccessUserRiskScoreRule struct{…}

Matches a user’s risk score.

UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore

UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"

IsolationRequired booloptional

Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.

MfaConfig ApplicationPolicyMfaConfigoptional

Configures multi-factor authentication (MFA) settings.

AllowedAuthenticators []ApplicationPolicyMfaConfigAllowedAuthenticatoroptional

Lists the MFA methods that users can authenticate with.

One of the following:

const ApplicationPolicyMfaConfigAllowedAuthenticatorTotp ApplicationPolicyMfaConfigAllowedAuthenticator = "totp"

const ApplicationPolicyMfaConfigAllowedAuthenticatorBiometrics ApplicationPolicyMfaConfigAllowedAuthenticator = "biometrics"

const ApplicationPolicyMfaConfigAllowedAuthenticatorSecurityKey ApplicationPolicyMfaConfigAllowedAuthenticator = "security_key"

MfaDisabled booloptional

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

SessionDuration stringoptional

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

Name stringoptional

The name of the Access policy.

PurposeJustificationPrompt stringoptional

A custom message that will appear on the purpose justification screen.

PurposeJustificationRequired booloptional

Require users to enter a justification when they log in to the application.

Require []AccessRuleoptional

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

One of the following:

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type AccessRuleAccessCommonNameRule struct{…}

Matches a specific common name.

CommonName AccessRuleAccessCommonNameRuleCommonName

CommonName string

The common name to match.

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringoptional

The name of the team

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type AccessRuleAccessLoginMethodRule struct{…}

Matches a specific identity provider id.

LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod

ID string

The ID of an identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type AccessRuleAccessOIDCClaimRule struct{…}

Matches an OIDC claim. Requires an OIDC identity provider.

OIDC AccessRuleAccessOIDCClaimRuleOIDC

ClaimName string

The name of the OIDC claim.

ClaimValue string

The OIDC claim value to look for.

IdentityProviderID string

The ID of your OIDC identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

type AccessRuleAccessLinkedAppTokenRule struct{…}

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken

AppUID string

The ID of an Access OIDC SaaS application

type AccessRuleAccessUserRiskScoreRule struct{…}

Matches a user’s risk score.

UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore

UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"

SessionDuration stringoptional

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

UpdatedAt Timeoptional

formatdate-time

type ApplicationSCIMConfig struct{…}

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

IdPUID string

The UID of the IdP to use as the source for SCIM resources to provision to this application.

RemoteURI string

The base URI for the application’s SCIM-compatible API.

Authentication ApplicationSCIMConfigAuthenticationUnionoptional

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

One of the following:

type SCIMConfigAuthenticationHTTPBasic struct{…}

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

Password string

Password used to authenticate with the remote SCIM service.

Scheme SCIMConfigAuthenticationHTTPBasicScheme

The authentication scheme to use when making SCIM requests to this application.

User string

User name used to authenticate with the remote SCIM service.

ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken

Token string

Token used to authenticate with the remote SCIM service.

Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme

The authentication scheme to use when making SCIM requests to this application.

type SCIMConfigAuthenticationOauth2 struct{…}

Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.

AuthorizationURL string

URL used to generate the auth code used during token generation.

ClientID string

Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.

ClientSecret string

Secret used to authenticate when generating a token for authenticating with the remove SCIM service.

Scheme SCIMConfigAuthenticationOauth2Scheme

The authentication scheme to use when making SCIM requests to this application.

TokenURL string

URL used to generate the token used to authenticate with the remote SCIM service.

Scopes []stringoptional

The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.

ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken

ClientID string

Client ID of the Access service token used to authenticate with the remote service.

ClientSecret string

Client secret of the Access service token used to authenticate with the remote service.

Scheme ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme

The authentication scheme to use when making SCIM requests to this application.

ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthentication

One of the following:

type SCIMConfigAuthenticationHTTPBasic struct{…}

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

Password string

Password used to authenticate with the remote SCIM service.

Scheme SCIMConfigAuthenticationHTTPBasicScheme

The authentication scheme to use when making SCIM requests to this application.

User string

User name used to authenticate with the remote SCIM service.

ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken

Token string

Token used to authenticate with the remote SCIM service.

Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme

The authentication scheme to use when making SCIM requests to this application.

type SCIMConfigAuthenticationOauth2 struct{…}

Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.

AuthorizationURL string

URL used to generate the auth code used during token generation.

ClientID string

Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.

ClientSecret string

Secret used to authenticate when generating a token for authenticating with the remove SCIM service.

Scheme SCIMConfigAuthenticationOauth2Scheme

The authentication scheme to use when making SCIM requests to this application.

TokenURL string

URL used to generate the token used to authenticate with the remote SCIM service.

Scopes []stringoptional

The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.

ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken

ClientID string

Client ID of the Access service token used to authenticate with the remote service.

ClientSecret string

Client secret of the Access service token used to authenticate with the remote service.

Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme

The authentication scheme to use when making SCIM requests to this application.

DeactivateOnDelete booloptional

If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set active to false on the SCIM resource. This is useful because some targets do not support DELETE operations.

Enabled booloptional

Whether SCIM provisioning is turned on for this application.

Mappings []SCIMConfigMappingoptional

A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.

Schema string

Which SCIM resource type this mapping applies to.

Enabled booloptional

Whether or not this mapping is enabled.

Filter stringoptional

A SCIM filter expression that matches resources that should be provisioned to this application.

Operations SCIMConfigMappingOperationsoptional

Whether or not this mapping applies to creates, updates, or deletes.

Create booloptional

Whether or not this mapping applies to create (POST) operations.

Delete booloptional

Whether or not this mapping applies to DELETE operations.

Update booloptional

Whether or not this mapping applies to update (PATCH/PUT) operations.

Strictness SCIMConfigMappingStrictnessoptional

The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.

One of the following:

const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"

const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"

TransformJsonata stringoptional

A JSONata expression that transforms the resource before provisioning it in the application.

type ApplicationType string

The application type.

One of the following:

const ApplicationTypeSelfHosted ApplicationType = "self_hosted"

const ApplicationTypeSaaS ApplicationType = "saas"

const ApplicationTypeSSH ApplicationType = "ssh"

const ApplicationTypeVNC ApplicationType = "vnc"

const ApplicationTypeAppLauncher ApplicationType = "app_launcher"

const ApplicationTypeWARP ApplicationType = "warp"

const ApplicationTypeBISO ApplicationType = "biso"

const ApplicationTypeBookmark ApplicationType = "bookmark"

const ApplicationTypeDashSSO ApplicationType = "dash_sso"

const ApplicationTypeInfrastructure ApplicationType = "infrastructure"

const ApplicationTypeRDP ApplicationType = "rdp"

const ApplicationTypeMcp ApplicationType = "mcp"

const ApplicationTypeMcpPortal ApplicationType = "mcp_portal"

const ApplicationTypeProxyEndpoint ApplicationType = "proxy_endpoint"

type CORSHeaders struct{…}

AllowAllHeaders booloptional

Allows all HTTP request headers.

AllowAllMethods booloptional

Allows all HTTP request methods.

AllowAllOrigins booloptional

Allows all origins.

AllowCredentials booloptional

When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.

AllowedHeaders []AllowedHeadersoptional

Allowed HTTP request headers.

AllowedMethods []AllowedMethodsoptional

Allowed HTTP request methods.

One of the following:

const AllowedMethodsGet AllowedMethods = "GET"

const AllowedMethodsPost AllowedMethods = "POST"

const AllowedMethodsHead AllowedMethods = "HEAD"

const AllowedMethodsPut AllowedMethods = "PUT"

const AllowedMethodsDelete AllowedMethods = "DELETE"

const AllowedMethodsConnect AllowedMethods = "CONNECT"

const AllowedMethodsOptions AllowedMethods = "OPTIONS"

const AllowedMethodsTrace AllowedMethods = "TRACE"

const AllowedMethodsPatch AllowedMethods = "PATCH"

AllowedOrigins []AllowedOriginsoptional

Allowed origins.

MaxAge float64optional

The maximum number of seconds the results of a preflight request can be cached.

maximum86400

minimum-1

type Decision string

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

One of the following:

const DecisionAllow Decision = "allow"

const DecisionDeny Decision = "deny"

const DecisionNonIdentity Decision = "non_identity"

const DecisionBypass Decision = "bypass"

type OIDCSaaSApp struct{…}

AccessTokenLifetime stringoptional

The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.

AllowPKCEWithoutClientSecret booloptional

If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.

AppLauncherURL stringoptional

The URL where this applications tile redirects users

AuthType OIDCSaaSAppAuthTypeoptional

Identifier of the authentication protocol used for the saas app. Required for OIDC.

One of the following:

const OIDCSaaSAppAuthTypeSAML OIDCSaaSAppAuthType = "saml"

const OIDCSaaSAppAuthTypeOIDC OIDCSaaSAppAuthType = "oidc"

ClientID stringoptional

The application client id

ClientSecret stringoptional

The application client secret, only returned on POST request.

CustomClaims []OIDCSaaSAppCustomClaimoptional

Name stringoptional

The name of the claim.

Required booloptional

If the claim is required when building an OIDC token.

Scope OIDCSaaSAppCustomClaimsScopeoptional

The scope of the claim.

One of the following:

const OIDCSaaSAppCustomClaimsScopeGroups OIDCSaaSAppCustomClaimsScope = "groups"

const OIDCSaaSAppCustomClaimsScopeProfile OIDCSaaSAppCustomClaimsScope = "profile"

const OIDCSaaSAppCustomClaimsScopeEmail OIDCSaaSAppCustomClaimsScope = "email"

const OIDCSaaSAppCustomClaimsScopeOpenid OIDCSaaSAppCustomClaimsScope = "openid"

Source OIDCSaaSAppCustomClaimsSourceoptional

Name stringoptional

The name of the IdP claim.

NameByIdP map[string, string]optional

A mapping from IdP ID to claim name.

GrantTypes []OIDCSaaSAppGrantTypeoptional

The OIDC flows supported by this application

One of the following:

const OIDCSaaSAppGrantTypeAuthorizationCode OIDCSaaSAppGrantType = "authorization_code"

const OIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE OIDCSaaSAppGrantType = "authorization_code_with_pkce"

const OIDCSaaSAppGrantTypeRefreshTokens OIDCSaaSAppGrantType = "refresh_tokens"

const OIDCSaaSAppGrantTypeHybrid OIDCSaaSAppGrantType = "hybrid"

const OIDCSaaSAppGrantTypeImplicit OIDCSaaSAppGrantType = "implicit"

GroupFilterRegex stringoptional

A regex to filter Cloudflare groups returned in ID token and userinfo endpoint

HybridAndImplicitOptions OIDCSaaSAppHybridAndImplicitOptionsoptional

ReturnAccessTokenFromAuthorizationEndpoint booloptional

If an Access Token should be returned from the OIDC Authorization endpoint

ReturnIDTokenFromAuthorizationEndpoint booloptional

If an ID Token should be returned from the OIDC Authorization endpoint

PublicKey stringoptional

The Access public certificate that will be used to verify your identity.

RedirectURIs []stringoptional

The permitted URL’s for Cloudflare to return Authorization codes and Access/ID tokens

RefreshTokenOptions OIDCSaaSAppRefreshTokenOptionsoptional

Lifetime stringoptional

How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.

Scopes []OIDCSaaSAppScopeoptional

Define the user information shared with access, “offline_access” scope will be automatically enabled if refresh tokens are enabled

One of the following:

const OIDCSaaSAppScopeOpenid OIDCSaaSAppScope = "openid"

const OIDCSaaSAppScopeGroups OIDCSaaSAppScope = "groups"

const OIDCSaaSAppScopeEmail OIDCSaaSAppScope = "email"

const OIDCSaaSAppScopeProfile OIDCSaaSAppScope = "profile"

type SaaSAppNameIDFormat string

The format of the name identifier sent to the SaaS application.

One of the following:

const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"

const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"

type SAMLSaaSApp struct{…}

AuthType SAMLSaaSAppAuthTypeoptional

Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is “saml”

One of the following:

const SAMLSaaSAppAuthTypeSAML SAMLSaaSAppAuthType = "saml"

const SAMLSaaSAppAuthTypeOIDC SAMLSaaSAppAuthType = "oidc"

ConsumerServiceURL stringoptional

The service provider’s endpoint that is responsible for receiving and parsing a SAML assertion.

CustomAttributes []SAMLSaaSAppCustomAttributeoptional

FriendlyName stringoptional

The SAML FriendlyName of the attribute.

Name stringoptional

The name of the attribute.

NameFormat SAMLSaaSAppCustomAttributesNameFormatoptional

A globally unique name for an identity or service provider.

One of the following:

const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"

const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"

const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

Required booloptional

If the attribute is required when building a SAML assertion.

Source SAMLSaaSAppCustomAttributesSourceoptional

Name stringoptional

The name of the IdP attribute.

NameByIdP []SAMLSaaSAppCustomAttributesSourceNameByIdPoptional

A mapping from IdP ID to attribute name.

IdPID stringoptional

The UID of the IdP.

SourceName stringoptional

The name of the IdP provided attribute.

DefaultRelayState stringoptional

The URL that the user will be redirected to after a successful login for IDP initiated logins.

IdPEntityID stringoptional

The unique identifier for your SaaS application.

NameIDFormat SaaSAppNameIDFormatoptional

The format of the name identifier sent to the SaaS application.

NameIDTransformJsonata stringoptional

PublicKey stringoptional

The Access public certificate that will be used to verify your identity.

SAMLAttributeTransformJsonata stringoptional

A [JSONata] (https://jsonata.org/) expression that transforms an application’s user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.

SPEntityID stringoptional

A globally unique name for an identity or service provider.

SSOEndpoint stringoptional

The endpoint where your SaaS application will send login requests.

type SCIMConfigAuthenticationHTTPBasic struct{…}

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

Password string

Password used to authenticate with the remote SCIM service.

Scheme SCIMConfigAuthenticationHTTPBasicScheme

The authentication scheme to use when making SCIM requests to this application.

User string

User name used to authenticate with the remote SCIM service.

type SCIMConfigAuthenticationOAuthBearerToken struct{…}

Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.

Token string

Token used to authenticate with the remote SCIM service.

Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme

The authentication scheme to use when making SCIM requests to this application.

type SCIMConfigAuthenticationOauth2 struct{…}

Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.

AuthorizationURL string

URL used to generate the auth code used during token generation.

ClientID string

Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.

ClientSecret string

Secret used to authenticate when generating a token for authenticating with the remove SCIM service.

Scheme SCIMConfigAuthenticationOauth2Scheme

The authentication scheme to use when making SCIM requests to this application.

TokenURL string

URL used to generate the token used to authenticate with the remote SCIM service.

Scopes []stringoptional

The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.

type SCIMConfigMapping struct{…}

Transformations and filters applied to resources before they are provisioned in the remote SCIM service.

Schema string

Which SCIM resource type this mapping applies to.

Enabled booloptional

Whether or not this mapping is enabled.

Filter stringoptional

A SCIM filter expression that matches resources that should be provisioned to this application.

Operations SCIMConfigMappingOperationsoptional

Whether or not this mapping applies to creates, updates, or deletes.

Create booloptional

Whether or not this mapping applies to create (POST) operations.

Delete booloptional

Whether or not this mapping applies to DELETE operations.

Update booloptional

Whether or not this mapping applies to update (PATCH/PUT) operations.

Strictness SCIMConfigMappingStrictnessoptional

The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.

One of the following:

const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"

const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"

TransformJsonata stringoptional

A JSONata expression that transforms the resource before provisioning it in the application.

type SelfHostedDomains string

A domain that Access will secure.

ApplicationsCAs

List short-lived certificate CAs

client.ZeroTrust.Access.Applications.CAs.List(ctx, params) (*V4PagePaginationArray[CA], error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/ca

Get a short-lived certificate CA

client.ZeroTrust.Access.Applications.CAs.Get(ctx, appID, query) (*CA, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca

Create a short-lived certificate CA

client.ZeroTrust.Access.Applications.CAs.New(ctx, appID, body) (*CA, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca

Delete a short-lived certificate CA

client.ZeroTrust.Access.Applications.CAs.Delete(ctx, appID, body) (*AccessApplicationCADeleteResponse, error)

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca

ModelsExpand Collapse

type CA struct{…}

ID stringoptional

The ID of the CA.

maxLength48

AUD stringoptional

The Application Audience (AUD) tag. Identifies the application associated with the CA.

maxLength64

PublicKey stringoptional

The public key to add to your SSH server configuration.

ApplicationsUser Policy Checks

Test Access policies

client.ZeroTrust.Access.Applications.UserPolicyChecks.List(ctx, appID, query) (*AccessApplicationUserPolicyCheckListResponse, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/user_policy_checks

ModelsExpand Collapse

type UserPolicyCheckGeo struct{…}

Country stringoptional

ApplicationsPolicies

List Access application policies

client.ZeroTrust.Access.Applications.Policies.List(ctx, appID, params) (*V4PagePaginationArray[AccessApplicationPolicyListResponse], error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies

Get an Access application policy

client.ZeroTrust.Access.Applications.Policies.Get(ctx, appID, policyID, query) (*AccessApplicationPolicyGetResponse, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

Create an Access application policy

client.ZeroTrust.Access.Applications.Policies.New(ctx, appID, params) (*AccessApplicationPolicyNewResponse, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies

Update an Access application policy

client.ZeroTrust.Access.Applications.Policies.Update(ctx, appID, policyID, params) (*AccessApplicationPolicyUpdateResponse, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

Delete an Access application policy

client.ZeroTrust.Access.Applications.Policies.Delete(ctx, appID, policyID, body) (*AccessApplicationPolicyDeleteResponse, error)

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

ModelsExpand Collapse

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type AccessRule interface{…}

Matches an Access group.

One of the following:

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type AccessRuleAccessCommonNameRule struct{…}

Matches a specific common name.

CommonName AccessRuleAccessCommonNameRuleCommonName

CommonName string

The common name to match.

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringoptional

The name of the team

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type AccessRuleAccessLoginMethodRule struct{…}

Matches a specific identity provider id.

LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod

ID string

The ID of an identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type AccessRuleAccessOIDCClaimRule struct{…}

Matches an OIDC claim. Requires an OIDC identity provider.

OIDC AccessRuleAccessOIDCClaimRuleOIDC

ClaimName string

The name of the OIDC claim.

ClaimValue string

The OIDC claim value to look for.

IdentityProviderID string

The ID of your OIDC identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

type AccessRuleAccessLinkedAppTokenRule struct{…}

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken

AppUID string

The ID of an Access OIDC SaaS application

type AccessRuleAccessUserRiskScoreRule struct{…}

Matches a user’s risk score.

UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore

UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringoptional

The name of the team

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

ApplicationsPolicy Tests

Get the current status of a given Access policy test

client.ZeroTrust.Access.Applications.PolicyTests.Get(ctx, policyTestID, query) (*AccessApplicationPolicyTestGetResponse, error)

GET/accounts/{account_id}/access/policy-tests/{policy_test_id}

Start Access policy test

client.ZeroTrust.Access.Applications.PolicyTests.New(ctx, params) (*AccessApplicationPolicyTestNewResponse, error)

POST/accounts/{account_id}/access/policy-tests

ApplicationsPolicy TestsUsers

Get an Access policy test users page

client.ZeroTrust.Access.Applications.PolicyTests.Users.List(ctx, policyTestID, params) (*V4PagePaginationArray[AccessApplicationPolicyTestUserListResponse], error)

GET/accounts/{account_id}/access/policy-tests/{policy_test_id}/users

ApplicationsSettings

Update Access application settings

client.ZeroTrust.Access.Applications.Settings.Update(ctx, appID, params) (*AccessApplicationSettingUpdateResponse, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings

Update Access application settings

client.ZeroTrust.Access.Applications.Settings.Edit(ctx, appID, params) (*AccessApplicationSettingEditResponse, error)

PATCH/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings