# Origin TLS Compliance Modes ## Get Origin TLS Compliance Modes setting `client.originTLSComplianceModes.get(OriginTLSComplianceModeGetParamsparams, RequestOptionsoptions?): OriginTLSComplianceModeGetResponse` **get** `/zones/{zone_id}/settings/origin_tls_compliance_modes` Origin TLS Compliance Modes constrains the set of TLS key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. The value is a list of named compliance modes (currently `fips` and `pqh`). Multiple modes are combined as the intersection of their permitted algorithm lists. An empty list (or no rule configured) means no compliance constraint is applied. ### Parameters - `params: OriginTLSComplianceModeGetParams` - `zone_id: string` Identifier. ### Returns - `OriginTLSComplianceModeGetResponse` - `id: "origin_tls_compliance_modes"` The identifier of the caching setting. - `"origin_tls_compliance_modes"` - `editable: boolean` Whether the setting is editable. - `value: Array` List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint. - `modified_on?: string | null` Last time this setting was modified. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const originTLSComplianceMode = await client.originTLSComplianceModes.get({ zone_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(originTLSComplianceMode.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "origin_tls_compliance_modes", "editable": true, "value": [ "fips", "pqh" ], "modified_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Replace Origin TLS Compliance Modes setting `client.originTLSComplianceModes.update(OriginTLSComplianceModeUpdateParamsparams, RequestOptionsoptions?): OriginTLSComplianceModeUpdateResponse` **put** `/zones/{zone_id}/settings/origin_tls_compliance_modes` Replace the entire set of TLS compliance modes for the zone with the list provided in the request body. PUT performs a full replace, not a merge — any modes not present in the request body are removed. The request body must be of the form `{"value": ["fips", "pqh"]}`. Currently supported modes are `fips` and `pqh`; an empty list clears the constraint. Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Invalid mode values are rejected with a 4xx response. ### Parameters - `params: OriginTLSComplianceModeUpdateParams` - `zone_id: string` Path param: Identifier. - `value: Array` Body param: List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint. ### Returns - `OriginTLSComplianceModeUpdateResponse` - `id: "origin_tls_compliance_modes"` The identifier of the caching setting. - `"origin_tls_compliance_modes"` - `editable: boolean` Whether the setting is editable. - `value: Array` List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint. - `modified_on?: string | null` Last time this setting was modified. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const originTLSComplianceMode = await client.originTLSComplianceModes.update({ zone_id: '023e105f4ecef8ad9ca31a8372d0c353', value: ['fips', 'pqh'], }); console.log(originTLSComplianceMode.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "origin_tls_compliance_modes", "editable": true, "value": [ "fips", "pqh" ], "modified_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Change Origin TLS Compliance Modes setting `client.originTLSComplianceModes.edit(OriginTLSComplianceModeEditParamsparams, RequestOptionsoptions?): OriginTLSComplianceModeEditResponse` **patch** `/zones/{zone_id}/settings/origin_tls_compliance_modes` Update the set of TLS compliance modes for the zone. PATCH performs a full replace of the modes list, not a merge — the request body is treated as the complete new list, and any modes not present in it are removed. (To remove a single mode from an existing configuration, send the updated list without it.) The request body must be of the form `{"value": ["fips", "pqh"]}`. Currently supported modes are `fips` and `pqh`; an empty list clears the constraint. Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Invalid mode values are rejected with a 4xx response. ### Parameters - `params: OriginTLSComplianceModeEditParams` - `zone_id: string` Path param: Identifier. - `value: Array` Body param: List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint. ### Returns - `OriginTLSComplianceModeEditResponse` - `id: "origin_tls_compliance_modes"` The identifier of the caching setting. - `"origin_tls_compliance_modes"` - `editable: boolean` Whether the setting is editable. - `value: Array` List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint. - `modified_on?: string | null` Last time this setting was modified. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.originTLSComplianceModes.edit({ zone_id: '023e105f4ecef8ad9ca31a8372d0c353', value: ['fips', 'pqh'], }); console.log(response.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "origin_tls_compliance_modes", "editable": true, "value": [ "fips", "pqh" ], "modified_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete Origin TLS Compliance Modes setting `client.originTLSComplianceModes.delete(OriginTLSComplianceModeDeleteParamsparams, RequestOptionsoptions?): OriginTLSComplianceModeDeleteResponse` **delete** `/zones/{zone_id}/settings/origin_tls_compliance_modes` Delete the Origin TLS Compliance Modes setting for the zone, removing any configured compliance constraint. After deletion, Cloudflare's default behavior applies (no compliance filtering of the key-exchange algorithm list sent to the origin). ### Parameters - `params: OriginTLSComplianceModeDeleteParams` - `zone_id: string` Identifier. ### Returns - `OriginTLSComplianceModeDeleteResponse` - `id: "origin_tls_compliance_modes"` The identifier of the caching setting. - `"origin_tls_compliance_modes"` - `editable: boolean` Whether the setting is editable. - `modified_on?: string | null` Last time this setting was modified. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const originTLSComplianceMode = await client.originTLSComplianceModes.delete({ zone_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(originTLSComplianceMode.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "origin_tls_compliance_modes", "editable": true, "modified_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Origin TLS Compliance Mode Get Response - `OriginTLSComplianceModeGetResponse` - `id: "origin_tls_compliance_modes"` The identifier of the caching setting. - `"origin_tls_compliance_modes"` - `editable: boolean` Whether the setting is editable. - `value: Array` List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint. - `modified_on?: string | null` Last time this setting was modified. ### Origin TLS Compliance Mode Update Response - `OriginTLSComplianceModeUpdateResponse` - `id: "origin_tls_compliance_modes"` The identifier of the caching setting. - `"origin_tls_compliance_modes"` - `editable: boolean` Whether the setting is editable. - `value: Array` List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint. - `modified_on?: string | null` Last time this setting was modified. ### Origin TLS Compliance Mode Edit Response - `OriginTLSComplianceModeEditResponse` - `id: "origin_tls_compliance_modes"` The identifier of the caching setting. - `"origin_tls_compliance_modes"` - `editable: boolean` Whether the setting is editable. - `value: Array` List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint. - `modified_on?: string | null` Last time this setting was modified. ### Origin TLS Compliance Mode Delete Response - `OriginTLSComplianceModeDeleteResponse` - `id: "origin_tls_compliance_modes"` The identifier of the caching setting. - `"origin_tls_compliance_modes"` - `editable: boolean` Whether the setting is editable. - `modified_on?: string | null` Last time this setting was modified.