Add an Access application
Adds a new application to Access.
Security
API Token
The preferred authorization scheme for interacting with the Cloudflare API. Create a token.
Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYYAPI Email + API Key
The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.
X-Auth-Email: user@example.comThe previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.
X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194Accepted Permissions (at least one required)
Access: Apps and Policies WriteParametersExpand Collapse
params AccessApplicationNewParams
Body param: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Body param: The application type.
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
Body param: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
Body param: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
Body param: Displays the application in the App Launcher.
Body param: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
Body param: The custom error message shown to a user when they are denied access to the application.
Body param: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
Body param: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
Body param: The custom pages that will be displayed when applicable for this application
Destinations param.Field[[]AccessApplicationNewParamsSelfHostedApplicationDestination]optionalBody param: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
Body param: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
AccessApplicationNewParamsSelfHostedApplicationDestinationsPublicDestination
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestination
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4ProtocoloptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Body param: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Body param: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
Body param: The image URL for the logo shown in the App Launcher dashboard.
Body param: Configures multi-factor authentication (MFA) settings.
Body param: Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
OAuthConfiguration param.Field[AccessApplicationNewParamsSelfHostedApplicationOAuthConfiguration]optionalBody param: Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Body param: Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationNewParamsSelfHostedApplicationOAuthConfigurationDynamicClientRegistrationoptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Body param: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Body param: Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies param.Field[[]AccessApplicationNewParamsSelfHostedApplicationPolicyUnion]optionalBody param: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
Body param: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
AccessApplicationNewParamsSelfHostedApplicationPoliciesObject
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Body param: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }
Body param: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
Body param: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Body param: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken
AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
Body param: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Body param: Returns a 401 status code when the request is blocked by a Service Auth policy.
Body param: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
Body param: Enables automatic authentication through cloudflared.
Body param: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Body param: Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
ReturnsExpand Collapse
type AccessApplicationNewResponse interface{…}
type AccessApplicationNewResponseSelfHostedApplication struct{…}
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Type ApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationNewResponseSelfHostedApplicationDestinationoptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationNewResponseSelfHostedApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocoloptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
MfaConfig AccessApplicationNewResponseSelfHostedApplicationMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
OAuthConfiguration AccessApplicationNewResponseSelfHostedApplicationOAuthConfigurationoptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationNewResponseSelfHostedApplicationOAuthConfigurationDynamicClientRegistrationoptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationNewResponseSelfHostedApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationNewResponseSelfHostedApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
type AccessApplicationNewResponseSaaSApplication struct{…}
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom pages that will be displayed when applicable for this application
Policies []AccessApplicationNewResponseSaaSApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationNewResponseSaaSApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
SaaSApp AccessApplicationNewResponseSaaSApplicationSaaSAppoptional
type SAMLSaaSApp struct{…}
AuthType SAMLSaaSAppAuthTypeoptionalOptional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is “saml”
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is “saml”
The service provider’s endpoint that is responsible for receiving and parsing a SAML assertion.
CustomAttributes []SAMLSaaSAppCustomAttributeoptional
NameFormat SAMLSaaSAppCustomAttributesNameFormatoptionalA globally unique name for an identity or service provider.
A globally unique name for an identity or service provider.
The URL that the user will be redirected to after a successful login for IDP initiated logins.
A JSONata expression that transforms an application’s user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
A [JSONata] (https://jsonata.org/) expression that transforms an application’s user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
type OIDCSaaSApp struct{…}
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
AuthType OIDCSaaSAppAuthTypeoptionalIdentifier of the authentication protocol used for the saas app. Required for OIDC.
Identifier of the authentication protocol used for the saas app. Required for OIDC.
CustomClaims []OIDCSaaSAppCustomClaimoptional
GrantTypes []OIDCSaaSAppGrantTypeoptionalThe OIDC flows supported by this application
The OIDC flows supported by this application
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
The permitted URL’s for Cloudflare to return Authorization codes and Access/ID tokens
SCIMConfig AccessApplicationNewResponseSaaSApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
type AccessApplicationNewResponseBrowserSSHApplication struct{…}
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Type AccessApplicationNewResponseBrowserSSHApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationNewResponseBrowserSSHApplicationDestinationoptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationNewResponseBrowserSSHApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationNewResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocoloptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
MfaConfig AccessApplicationNewResponseBrowserSSHApplicationMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
OAuthConfiguration AccessApplicationNewResponseBrowserSSHApplicationOAuthConfigurationoptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationNewResponseBrowserSSHApplicationOAuthConfigurationDynamicClientRegistrationoptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationNewResponseBrowserSSHApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationNewResponseBrowserSSHApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
type AccessApplicationNewResponseBrowserVNCApplication struct{…}
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Type AccessApplicationNewResponseBrowserVNCApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationNewResponseBrowserVNCApplicationDestinationoptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationNewResponseBrowserVNCApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationNewResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocoloptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
MfaConfig AccessApplicationNewResponseBrowserVNCApplicationMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
OAuthConfiguration AccessApplicationNewResponseBrowserVNCApplicationOAuthConfigurationoptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationNewResponseBrowserVNCApplicationOAuthConfigurationDynamicClientRegistrationoptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationNewResponseBrowserVNCApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationNewResponseBrowserVNCApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
type AccessApplicationNewResponseAppLauncherApplication struct{…}
Type AccessApplicationNewResponseAppLauncherApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
FooterLinks []AccessApplicationNewResponseAppLauncherApplicationFooterLinkoptionalThe links in the App Launcher footer.
The links in the App Launcher footer.
LandingPageDesign AccessApplicationNewResponseAppLauncherApplicationLandingPageDesignoptionalThe design of the App Launcher landing page shown to users when they log in.
The design of the App Launcher landing page shown to users when they log in.
Policies []AccessApplicationNewResponseAppLauncherApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationNewResponseAppLauncherApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationNewResponseDeviceEnrollmentPermissionsApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Policies []AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationNewResponseBrowserIsolationPermissionsApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Policies []AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationNewResponseGatewayIdentityProxyEndpointApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
Policies []AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationNewResponseBookmarkApplication struct{…}
Policies []AccessApplicationNewResponseBookmarkApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationNewResponseBookmarkApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
type AccessApplicationNewResponseInfrastructureApplication struct{…}
TargetCriteria []AccessApplicationNewResponseInfrastructureApplicationTargetCriterion
Type ApplicationTypeThe application type.
The application type.
Policies []AccessApplicationNewResponseInfrastructureApplicationPolicyoptional
ConnectionRules AccessApplicationNewResponseInfrastructureApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to the targets secured by your application.
The rules that define how users may connect to the targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationNewResponseBrowserRDPApplication struct{…}
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
TargetCriteria []AccessApplicationNewResponseBrowserRDPApplicationTargetCriterion
Type ApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationNewResponseBrowserRDPApplicationDestinationoptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationNewResponseBrowserRDPApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationNewResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocoloptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
MfaConfig AccessApplicationNewResponseBrowserRDPApplicationMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
OAuthConfiguration AccessApplicationNewResponseBrowserRDPApplicationOAuthConfigurationoptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationNewResponseBrowserRDPApplicationOAuthConfigurationDynamicClientRegistrationoptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationNewResponseBrowserRDPApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationNewResponseBrowserRDPApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
type AccessApplicationNewResponseMcpServerApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationNewResponseMcpServerApplicationDestinationoptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationNewResponseMcpServerApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationNewResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocoloptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
OAuthConfiguration AccessApplicationNewResponseMcpServerApplicationOAuthConfigurationoptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationNewResponseMcpServerApplicationOAuthConfigurationDynamicClientRegistrationoptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Policies []AccessApplicationNewResponseMcpServerApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationNewResponseMcpServerApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationNewResponseMcpServerApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
type AccessApplicationNewResponseMcpServerPortalApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationNewResponseMcpServerPortalApplicationDestinationoptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationNewResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocoloptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
OAuthConfiguration AccessApplicationNewResponseMcpServerPortalApplicationOAuthConfigurationoptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationNewResponseMcpServerPortalApplicationOAuthConfigurationDynamicClientRegistrationoptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Policies []AccessApplicationNewResponseMcpServerPortalApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationNewResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationNewResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationNewResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
Add an Access application
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
application, err := client.ZeroTrust.Access.Applications.New(context.TODO(), zero_trust.AccessApplicationNewParams{
Body: zero_trust.AccessApplicationNewParamsBodySelfHostedApplication{
Domain: cloudflare.F("test.example.com/admin"),
Type: cloudflare.F(zero_trust.ApplicationTypeSelfHosted),
},
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", application)
}
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}Returns Examples
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}