List Access applications
Lists all Access applications in an account or zone.
Security
API Token
The preferred authorization scheme for interacting with the Cloudflare API. Create a token.
Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYYAPI Email + API Key
The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.
X-Auth-Email: user@example.comThe previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.
X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194Accepted Permissions (at least one required)
Access: Apps and Policies RevokeAccess: Apps and Policies WriteAccess: Apps and Policies ReadParametersExpand Collapse
params AccessApplicationListParams
Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
ReturnsExpand Collapse
type AccessApplicationListResponse interface{…}
type AccessApplicationListResponseSelfHostedApplication struct{…}
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Type ApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationListResponseSelfHostedApplicationDestinationoptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationListResponseSelfHostedApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationListResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocoloptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
MfaConfig AccessApplicationListResponseSelfHostedApplicationMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseSelfHostedApplicationMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
OAuthConfiguration AccessApplicationListResponseSelfHostedApplicationOAuthConfigurationoptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationListResponseSelfHostedApplicationOAuthConfigurationDynamicClientRegistrationoptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationListResponseSelfHostedApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationListResponseSelfHostedApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationListResponseSelfHostedApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
type AccessApplicationListResponseSaaSApplication struct{…}
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom pages that will be displayed when applicable for this application
Policies []AccessApplicationListResponseSaaSApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationListResponseSaaSApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
SaaSApp AccessApplicationListResponseSaaSApplicationSaaSAppoptional
type SAMLSaaSApp struct{…}
AuthType SAMLSaaSAppAuthTypeoptionalOptional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is “saml”
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is “saml”
The service provider’s endpoint that is responsible for receiving and parsing a SAML assertion.
CustomAttributes []SAMLSaaSAppCustomAttributeoptional
NameFormat SAMLSaaSAppCustomAttributesNameFormatoptionalA globally unique name for an identity or service provider.
A globally unique name for an identity or service provider.
The URL that the user will be redirected to after a successful login for IDP initiated logins.
A JSONata expression that transforms an application’s user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
A [JSONata] (https://jsonata.org/) expression that transforms an application’s user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
type OIDCSaaSApp struct{…}
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
AuthType OIDCSaaSAppAuthTypeoptionalIdentifier of the authentication protocol used for the saas app. Required for OIDC.
Identifier of the authentication protocol used for the saas app. Required for OIDC.
CustomClaims []OIDCSaaSAppCustomClaimoptional
GrantTypes []OIDCSaaSAppGrantTypeoptionalThe OIDC flows supported by this application
The OIDC flows supported by this application
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
The permitted URL’s for Cloudflare to return Authorization codes and Access/ID tokens
SCIMConfig AccessApplicationListResponseSaaSApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
type AccessApplicationListResponseBrowserSSHApplication struct{…}
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Type AccessApplicationListResponseBrowserSSHApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationListResponseBrowserSSHApplicationDestinationoptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationListResponseBrowserSSHApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationListResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocoloptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
MfaConfig AccessApplicationListResponseBrowserSSHApplicationMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
OAuthConfiguration AccessApplicationListResponseBrowserSSHApplicationOAuthConfigurationoptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationListResponseBrowserSSHApplicationOAuthConfigurationDynamicClientRegistrationoptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationListResponseBrowserSSHApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationListResponseBrowserSSHApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationListResponseBrowserSSHApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
type AccessApplicationListResponseBrowserVNCApplication struct{…}
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Type AccessApplicationListResponseBrowserVNCApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationListResponseBrowserVNCApplicationDestinationoptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationListResponseBrowserVNCApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationListResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocoloptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
MfaConfig AccessApplicationListResponseBrowserVNCApplicationMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
OAuthConfiguration AccessApplicationListResponseBrowserVNCApplicationOAuthConfigurationoptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationListResponseBrowserVNCApplicationOAuthConfigurationDynamicClientRegistrationoptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationListResponseBrowserVNCApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationListResponseBrowserVNCApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationListResponseBrowserVNCApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
type AccessApplicationListResponseAppLauncherApplication struct{…}
Type AccessApplicationListResponseAppLauncherApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
FooterLinks []AccessApplicationListResponseAppLauncherApplicationFooterLinkoptionalThe links in the App Launcher footer.
The links in the App Launcher footer.
LandingPageDesign AccessApplicationListResponseAppLauncherApplicationLandingPageDesignoptionalThe design of the App Launcher landing page shown to users when they log in.
The design of the App Launcher landing page shown to users when they log in.
Policies []AccessApplicationListResponseAppLauncherApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationListResponseAppLauncherApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationListResponseDeviceEnrollmentPermissionsApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Policies []AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationListResponseBrowserIsolationPermissionsApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Policies []AccessApplicationListResponseBrowserIsolationPermissionsApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationListResponseGatewayIdentityProxyEndpointApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
Policies []AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationListResponseBookmarkApplication struct{…}
Policies []AccessApplicationListResponseBookmarkApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationListResponseBookmarkApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
type AccessApplicationListResponseInfrastructureApplication struct{…}
TargetCriteria []AccessApplicationListResponseInfrastructureApplicationTargetCriterion
Type ApplicationTypeThe application type.
The application type.
Policies []AccessApplicationListResponseInfrastructureApplicationPolicyoptional
ConnectionRules AccessApplicationListResponseInfrastructureApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to the targets secured by your application.
The rules that define how users may connect to the targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationListResponseBrowserRDPApplication struct{…}
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
TargetCriteria []AccessApplicationListResponseBrowserRDPApplicationTargetCriterion
Type ApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationListResponseBrowserRDPApplicationDestinationoptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationListResponseBrowserRDPApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationListResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocoloptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
MfaConfig AccessApplicationListResponseBrowserRDPApplicationMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
OAuthConfiguration AccessApplicationListResponseBrowserRDPApplicationOAuthConfigurationoptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationListResponseBrowserRDPApplicationOAuthConfigurationDynamicClientRegistrationoptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationListResponseBrowserRDPApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationListResponseBrowserRDPApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationListResponseBrowserRDPApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
type AccessApplicationListResponseMcpServerApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationListResponseMcpServerApplicationDestinationoptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationListResponseMcpServerApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationListResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocoloptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
OAuthConfiguration AccessApplicationListResponseMcpServerApplicationOAuthConfigurationoptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationListResponseMcpServerApplicationOAuthConfigurationDynamicClientRegistrationoptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Policies []AccessApplicationListResponseMcpServerApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationListResponseMcpServerApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationListResponseMcpServerApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
type AccessApplicationListResponseMcpServerPortalApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationListResponseMcpServerPortalApplicationDestinationoptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationListResponseMcpServerPortalApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationListResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocoloptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
OAuthConfiguration AccessApplicationListResponseMcpServerPortalApplicationOAuthConfigurationoptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationListResponseMcpServerPortalApplicationOAuthConfigurationDynamicClientRegistrationoptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Policies []AccessApplicationListResponseMcpServerPortalApplicationPolicyoptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesoptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationListResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPoptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigoptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationListResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatoroptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigoptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationUnionoptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationListResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsoptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessoptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List Access applications
package main
import (
"context"
"fmt"
"github.com/cloudflare/cloudflare-go"
"github.com/cloudflare/cloudflare-go/option"
"github.com/cloudflare/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
page, err := client.ZeroTrust.Access.Applications.List(context.TODO(), zero_trust.AccessApplicationListParams{
})
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", page)
}
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}Returns Examples
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}