Update your Zero Trust organization

client.ZeroTrust.Organizations.Update(ctx, params) (*Organization, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/organizations

Updates the configuration for your Zero Trust organization.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Access: Organizations, Identity Providers, and Groups Write

ParametersExpand Collapse

params OrganizationUpdateParams

AccountID param.Field[string]Optional

Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

ZoneID param.Field[string]Optional

Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

AllowAuthenticateViaWARP param.Field[bool]Optional

Body param: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

AuthDomain param.Field[string]Optional

Body param: The unique subdomain assigned to your Zero Trust organization.

AutoRedirectToIdentity param.Field[bool]Optional

Body param: When set to true, users skip the identity provider selection step during login.

CustomPages param.Field[OrganizationUpdateParamsCustomPages]Optional

Body param

Forbidden stringOptional

The uid of the custom page to use when a user is denied access after failing a non-identity rule.

IdentityDenied stringOptional

The uid of the custom page to use when a user is denied access.

DenyUnmatchedRequests param.Field[bool]Optional

Body param: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.

DenyUnmatchedRequestsExemptedZoneNames param.Field[[]string]Optional

Body param: Contains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

IsUIReadOnly param.Field[bool]Optional

Body param: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

LoginDesign param.Field[LoginDesign]Optional

Body param

MfaConfig param.Field[OrganizationUpdateParamsMfaConfig]Optional

Body param: Configures multi-factor authentication (MFA) settings for an organization.

AllowedAuthenticators []OrganizationUpdateParamsMfaConfigAllowedAuthenticatorOptional

Lists the MFA methods that users can authenticate with.

One of the following:

const OrganizationUpdateParamsMfaConfigAllowedAuthenticatorTotp OrganizationUpdateParamsMfaConfigAllowedAuthenticator = "totp"

const OrganizationUpdateParamsMfaConfigAllowedAuthenticatorBiometrics OrganizationUpdateParamsMfaConfigAllowedAuthenticator = "biometrics"

const OrganizationUpdateParamsMfaConfigAllowedAuthenticatorSecurityKey OrganizationUpdateParamsMfaConfigAllowedAuthenticator = "security_key"

const OrganizationUpdateParamsMfaConfigAllowedAuthenticatorSSHPivKey OrganizationUpdateParamsMfaConfigAllowedAuthenticator = "ssh_piv_key"

AmrMatchingSessionDuration stringOptional

Allows a user to skip MFA via Authentication Method Reference (AMR) matching when the AMR claim provided by the IdP the user used to authenticate contains “mfa”. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days).

RequiredAaguids stringOptional

Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs.

formatuuid

SessionDuration stringOptional

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

MfaRequiredForAllApps param.Field[bool]Optional

Body param: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.

MfaSSHPivKeyRequirements param.Field[OrganizationUpdateParamsMfaSSHPivKeyRequirements]Optional

Body param: Configures SSH PIV key requirements for MFA using hardware security keys.

PinPolicy OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicyOptional

Defines when a PIN is required to use the SSH key. Valid values: never (no PIN required), once (PIN required once per session), always (PIN required for each use).

One of the following:

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicyNever OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicy = "never"

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicyOnce OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicy = "once"

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicyAlways OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicy = "always"

RequireFipsDevice boolOptional

Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device.

SSHKeySize []OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySizeOptional

Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter.

One of the following:

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize256 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize = 256

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize384 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize = 384

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize521 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize = 521

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize2048 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize = 2048

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize3072 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize = 3072

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize4096 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize = 4096

SSHKeyType []OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyTypeOptional

Specifies the allowed SSH key types. Valid values are ecdsa, ed25519, and rsa.

One of the following:

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyTypeEcdsa OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyType = "ecdsa"

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyTypeEd25519 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyType = "ed25519"

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyTypeRSA OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyType = "rsa"

TouchPolicy OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicyOptional

Defines when physical touch is required to use the SSH key. Valid values: never (no touch required), always (touch required for each use), cached (touch cached for 15 seconds).

One of the following:

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicyNever OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicy = "never"

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicyAlways OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicy = "always"

const OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicyCached OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicy = "cached"

Name param.Field[string]Optional

Body param: The name of your Zero Trust organization.

SessionDuration param.Field[string]Optional

Body param: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

UIReadOnlyToggleReason param.Field[string]Optional

Body param: A description of the reason why the UI read only field is being toggled.

UserSeatExpirationInactiveTime param.Field[string]Optional

Body param: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

WARPAuthSessionDuration param.Field[string]Optional

Body param: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.

ReturnsExpand Collapse

type Organization struct{…}

AllowAuthenticateViaWARP boolOptional

When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

AuthDomain stringOptional

The unique subdomain assigned to your Zero Trust organization.

AutoRedirectToIdentity boolOptional

When set to true, users skip the identity provider selection step during login.

CustomPages OrganizationCustomPagesOptional

Forbidden stringOptional

The uid of the custom page to use when a user is denied access after failing a non-identity rule.

IdentityDenied stringOptional

The uid of the custom page to use when a user is denied access.

DenyUnmatchedRequests boolOptional

Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.

DenyUnmatchedRequestsExemptedZoneNames []stringOptional

Contains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

IsUIReadOnly boolOptional

Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

LoginDesign LoginDesignOptional

BackgroundColor stringOptional

The background color on your login page.

FooterText stringOptional

The text at the bottom of your login page.

HeaderText stringOptional

The text at the top of your login page.

LogoPath stringOptional

The URL of the logo on your login page.

TextColor stringOptional

The text color on your login page.

MfaConfig OrganizationMfaConfigOptional

Configures multi-factor authentication (MFA) settings for an organization.

AllowedAuthenticators []OrganizationMfaConfigAllowedAuthenticatorOptional

Lists the MFA methods that users can authenticate with.

One of the following:

const OrganizationMfaConfigAllowedAuthenticatorTotp OrganizationMfaConfigAllowedAuthenticator = "totp"

const OrganizationMfaConfigAllowedAuthenticatorBiometrics OrganizationMfaConfigAllowedAuthenticator = "biometrics"

const OrganizationMfaConfigAllowedAuthenticatorSecurityKey OrganizationMfaConfigAllowedAuthenticator = "security_key"

const OrganizationMfaConfigAllowedAuthenticatorSSHPivKey OrganizationMfaConfigAllowedAuthenticator = "ssh_piv_key"

AmrMatchingSessionDuration stringOptional

RequiredAaguids stringOptional

Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs.

formatuuid

SessionDuration stringOptional

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

MfaRequiredForAllApps boolOptional

Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.

MfaSSHPivKeyRequirements OrganizationMfaSSHPivKeyRequirementsOptional

Configures SSH PIV key requirements for MFA using hardware security keys.

PinPolicy OrganizationMfaSSHPivKeyRequirementsPinPolicyOptional

Defines when a PIN is required to use the SSH key. Valid values: never (no PIN required), once (PIN required once per session), always (PIN required for each use).

One of the following:

const OrganizationMfaSSHPivKeyRequirementsPinPolicyNever OrganizationMfaSSHPivKeyRequirementsPinPolicy = "never"

const OrganizationMfaSSHPivKeyRequirementsPinPolicyOnce OrganizationMfaSSHPivKeyRequirementsPinPolicy = "once"

const OrganizationMfaSSHPivKeyRequirementsPinPolicyAlways OrganizationMfaSSHPivKeyRequirementsPinPolicy = "always"

RequireFipsDevice boolOptional

Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device.

SSHKeySize []OrganizationMfaSSHPivKeyRequirementsSSHKeySizeOptional

Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter.

One of the following:

const OrganizationMfaSSHPivKeyRequirementsSSHKeySize256 OrganizationMfaSSHPivKeyRequirementsSSHKeySize = 256

const OrganizationMfaSSHPivKeyRequirementsSSHKeySize384 OrganizationMfaSSHPivKeyRequirementsSSHKeySize = 384

const OrganizationMfaSSHPivKeyRequirementsSSHKeySize521 OrganizationMfaSSHPivKeyRequirementsSSHKeySize = 521

const OrganizationMfaSSHPivKeyRequirementsSSHKeySize2048 OrganizationMfaSSHPivKeyRequirementsSSHKeySize = 2048

const OrganizationMfaSSHPivKeyRequirementsSSHKeySize3072 OrganizationMfaSSHPivKeyRequirementsSSHKeySize = 3072

const OrganizationMfaSSHPivKeyRequirementsSSHKeySize4096 OrganizationMfaSSHPivKeyRequirementsSSHKeySize = 4096

SSHKeyType []OrganizationMfaSSHPivKeyRequirementsSSHKeyTypeOptional

Specifies the allowed SSH key types. Valid values are ecdsa, ed25519, and rsa.

One of the following:

const OrganizationMfaSSHPivKeyRequirementsSSHKeyTypeEcdsa OrganizationMfaSSHPivKeyRequirementsSSHKeyType = "ecdsa"

const OrganizationMfaSSHPivKeyRequirementsSSHKeyTypeEd25519 OrganizationMfaSSHPivKeyRequirementsSSHKeyType = "ed25519"

const OrganizationMfaSSHPivKeyRequirementsSSHKeyTypeRSA OrganizationMfaSSHPivKeyRequirementsSSHKeyType = "rsa"

TouchPolicy OrganizationMfaSSHPivKeyRequirementsTouchPolicyOptional

Defines when physical touch is required to use the SSH key. Valid values: never (no touch required), always (touch required for each use), cached (touch cached for 15 seconds).

One of the following:

const OrganizationMfaSSHPivKeyRequirementsTouchPolicyNever OrganizationMfaSSHPivKeyRequirementsTouchPolicy = "never"

const OrganizationMfaSSHPivKeyRequirementsTouchPolicyAlways OrganizationMfaSSHPivKeyRequirementsTouchPolicy = "always"

const OrganizationMfaSSHPivKeyRequirementsTouchPolicyCached OrganizationMfaSSHPivKeyRequirementsTouchPolicy = "cached"

Name stringOptional

The name of your Zero Trust organization.

SessionDuration stringOptional

The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

UIReadOnlyToggleReason stringOptional

A description of the reason why the UI read only field is being toggled.

UserSeatExpirationInactiveTime stringOptional

The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

WARPAuthSessionDuration stringOptional

The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.

Update your Zero Trust organization

package main

import (
  "context"
  "fmt"

  "github.com/cloudflare/cloudflare-go"
  "github.com/cloudflare/cloudflare-go/option"
  "github.com/cloudflare/cloudflare-go/zero_trust"
)

func main() {
  client := cloudflare.NewClient(
    option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
  )
  organization, err := client.ZeroTrust.Organizations.Update(context.TODO(), zero_trust.OrganizationUpdateParams{

  })
  if err != nil {
    panic(err.Error())
  }
  fmt.Printf("%+v\n", organization.AutoRedirectToIdentity)
}

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "allow_authenticate_via_warp": true,
    "auth_domain": "test.cloudflareaccess.com",
    "auto_redirect_to_identity": true,
    "created_at": "2014-01-01T05:20:00.12345Z",
    "custom_pages": {
      "forbidden": "699d98642c564d2e855e9661899b7252",
      "identity_denied": "699d98642c564d2e855e9661899b7252"
    },
    "deny_unmatched_requests": true,
    "deny_unmatched_requests_exempted_zone_names": [
      "example.com"
    ],
    "is_ui_read_only": true,
    "login_design": {
      "background_color": "#c5ed1b",
      "footer_text": "This is an example description.",
      "header_text": "This is an example description.",
      "logo_path": "https://example.com/logo.png",
      "text_color": "#c5ed1b"
    },
    "mfa_config": {
      "allowed_authenticators": [
        "totp",
        "biometrics",
        "security_key"
      ],
      "amr_matching_session_duration": "12h",
      "required_aaguids": "2fc0579f-8113-47ea-b116-bb5a8db9202a",
      "session_duration": "24h"
    },
    "mfa_required_for_all_apps": false,
    "mfa_ssh_piv_key_requirements": {
      "pin_policy": "always",
      "require_fips_device": true,
      "ssh_key_size": [
        256,
        2048
      ],
      "ssh_key_type": [
        "ecdsa",
        "rsa"
      ],
      "touch_policy": "always"
    },
    "name": "Widget Corps Internal Applications",
    "session_duration": "24h",
    "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI",
    "updated_at": "2014-01-01T05:20:00.12345Z",
    "user_seat_expiration_inactive_time": "730h",
    "warp_auth_session_duration": "24h"
  }
}

Returns Examples

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "allow_authenticate_via_warp": true,
    "auth_domain": "test.cloudflareaccess.com",
    "auto_redirect_to_identity": true,
    "created_at": "2014-01-01T05:20:00.12345Z",
    "custom_pages": {
      "forbidden": "699d98642c564d2e855e9661899b7252",
      "identity_denied": "699d98642c564d2e855e9661899b7252"
    },
    "deny_unmatched_requests": true,
    "deny_unmatched_requests_exempted_zone_names": [
      "example.com"
    ],
    "is_ui_read_only": true,
    "login_design": {
      "background_color": "#c5ed1b",
      "footer_text": "This is an example description.",
      "header_text": "This is an example description.",
      "logo_path": "https://example.com/logo.png",
      "text_color": "#c5ed1b"
    },
    "mfa_config": {
      "allowed_authenticators": [
        "totp",
        "biometrics",
        "security_key"
      ],
      "amr_matching_session_duration": "12h",
      "required_aaguids": "2fc0579f-8113-47ea-b116-bb5a8db9202a",
      "session_duration": "24h"
    },
    "mfa_required_for_all_apps": false,
    "mfa_ssh_piv_key_requirements": {
      "pin_policy": "always",
      "require_fips_device": true,
      "ssh_key_size": [
        256,
        2048
      ],
      "ssh_key_type": [
        "ecdsa",
        "rsa"
      ],
      "touch_policy": "always"
    },
    "name": "Widget Corps Internal Applications",
    "session_duration": "24h",
    "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI",
    "updated_at": "2014-01-01T05:20:00.12345Z",
    "user_seat_expiration_inactive_time": "730h",
    "warp_auth_session_duration": "24h"
  }
}