Zero Trust

Zero TrustDevices

List devices (deprecated)

Deprecated

client.zeroTrust.devices.list(, ?): SinglePage<Device { id, created, deleted, 17 more } >

GET/accounts/{account_id}/devices

Get device (deprecated)

Deprecated

client.zeroTrust.devices.get(, , ?): DeviceGetResponse { id, account, created, 16 more } | null

GET/accounts/{account_id}/devices/{device_id}

ModelsExpand Collapse

Device { id, created, deleted, 17 more }

id?: string

Registration ID. Equal to Device ID except for accounts which enabled multi-user mode.

maxLength36

created?: string

When the device was created.

formatdate-time

deleted?: boolean

True if the device was deleted.

device_type?: "windows" | "mac" | "linux" | 3 more

One of the following:

"windows"

"mac"

"linux"

"android"

"ios"

"chromeos"

ip?: string

IPv4 or IPv6 address.

key?: string

The device’s public key.

last_seen?: string

When the device last connected to Cloudflare services.

formatdate-time

mac_address?: string

The device mac address.

manufacturer?: string

The device manufacturer name.

model?: string

The device model name.

name?: string

The device name.

os_distro_name?: string

The Linux distro name.

os_distro_revision?: string

The Linux distro revision.

os_version?: string

The operating system version.

os_version_extra?: string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

revoked_at?: string

When the device was revoked.

formatdate-time

serial_number?: string

The device serial number.

updated?: string

When the device was updated.

formatdate-time

user?: User { id, email, name }

id?: string

UUID.

maxLength36

email?: string

The contact email address of the user.

maxLength90

name?: string

The enrolled device user’s name.

version?: string

The WARP client version.

DeviceGetResponse { id, account, created, 16 more }

id?: string

Registration ID. Equal to Device ID except for accounts which enabled multi-user mode.

maxLength36

account?: Account { id, account_type, name }

Deprecatedid?: string

Deprecatedaccount_type?: string

name?: string

The name of the enrolled account.

created?: string

When the device was created.

formatdate-time

deleted?: boolean

True if the device was deleted.

device_type?: string

Deprecatedgateway_device_id?: string

ip?: string

IPv4 or IPv6 address.

key?: string

The device’s public key.

key_type?: string

Type of the key.

last_seen?: string

When the device last connected to Cloudflare services.

formatdate-time

mac_address?: string

The device mac address.

model?: string

The device model name.

name?: string

The device name.

os_version?: string

The operating system version.

serial_number?: string

The device serial number.

tunnel_type?: string

Type of the tunnel connection used.

updated?: string

When the device was updated.

formatdate-time

user?: User { id, email, name }

id?: string

UUID.

maxLength36

email?: string

The contact email address of the user.

maxLength90

name?: string

The enrolled device user’s name.

version?: string

The WARP client version.

Zero TrustDevicesDevices

List devices

client.zeroTrust.devices.devices.list(, ?): CursorPagination<DeviceListResponse { id, active_registrations, created_at, 16 more } >

GET/accounts/{account_id}/devices/physical-devices

Get device

client.zeroTrust.devices.devices.get(, , ?): DeviceGetResponse { id, active_registrations, created_at, 16 more }

GET/accounts/{account_id}/devices/physical-devices/{device_id}

Delete device

client.zeroTrust.devices.devices.delete(, , ?): DeviceDeleteResponse | null

DELETE/accounts/{account_id}/devices/physical-devices/{device_id}

Revoke device registrations

client.zeroTrust.devices.devices.revoke(, , ?): DeviceRevokeResponse | null

POST/accounts/{account_id}/devices/physical-devices/{device_id}/revoke

ModelsExpand Collapse

DeviceListResponse { id, active_registrations, created_at, 16 more }

A WARP Device.

id: string

The unique ID of the device.

active_registrations: number

The number of active registrations for the device. Active registrations are those which haven’t been revoked or deleted.

created_at: string

The RFC3339 timestamp when the device was created.

last_seen_at: string | null

The RFC3339 timestamp when the device was last seen.

The name of the device.

updated_at: string

The RFC3339 timestamp when the device was last updated.

client_version?: string | null

Version of the WARP client.

deleted_at?: string | null

The RFC3339 timestamp when the device was deleted.

device_type?: string | null

The device operating system.

hardware_id?: string | null

A string that uniquely identifies the hardware or virtual machine (VM).

last_seen_registration?: LastSeenRegistration | null

The last seen registration for the device.

policy?: Policy | null

A summary of the device profile evaluated for the registration.

id: string

The ID of the device settings profile.

default: boolean

Whether the device settings profile is the default profile for the account.

deleted: boolean

Whether the device settings profile was deleted.

The name of the device settings profile.

updated_at: string

The RFC3339 timestamp of when the device settings profile last changed for the registration.

last_seen_user?: LastSeenUser | null

The last user to use the WARP device.

id?: string

UUID.

maxLength36

email?: string

The contact email address of the user.

maxLength90

name?: string

The enrolled device user’s name.

mac_address?: string | null

The device MAC address.

manufacturer?: string | null

The device manufacturer.

model?: string | null

The model name of the device.

os_version?: string | null

The device operating system version number.

os_version_extra?: string | null

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

Deprecatedpublic_ip?: string | null

Deprecated: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/

serial_number?: string | null

The device serial number.

DeviceGetResponse { id, active_registrations, created_at, 16 more }

A WARP Device.

id: string

The unique ID of the device.

active_registrations: number

The number of active registrations for the device. Active registrations are those which haven’t been revoked or deleted.

created_at: string

The RFC3339 timestamp when the device was created.

last_seen_at: string | null

The RFC3339 timestamp when the device was last seen.

The name of the device.

updated_at: string

The RFC3339 timestamp when the device was last updated.

client_version?: string | null

Version of the WARP client.

deleted_at?: string | null

The RFC3339 timestamp when the device was deleted.

device_type?: string | null

The device operating system.

hardware_id?: string | null

A string that uniquely identifies the hardware or virtual machine (VM).

last_seen_registration?: LastSeenRegistration | null

The last seen registration for the device.

policy?: Policy | null

A summary of the device profile evaluated for the registration.

id: string

The ID of the device settings profile.

default: boolean

Whether the device settings profile is the default profile for the account.

deleted: boolean

Whether the device settings profile was deleted.

The name of the device settings profile.

updated_at: string

The RFC3339 timestamp of when the device settings profile last changed for the registration.

last_seen_user?: LastSeenUser | null

The last user to use the WARP device.

id?: string

UUID.

maxLength36

email?: string

The contact email address of the user.

maxLength90

name?: string

The enrolled device user’s name.

mac_address?: string | null

The device MAC address.

manufacturer?: string | null

The device manufacturer.

model?: string | null

The model name of the device.

os_version?: string | null

The device operating system version number.

os_version_extra?: string | null

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

Deprecatedpublic_ip?: string | null

Deprecated: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/

serial_number?: string | null

The device serial number.

DeviceDeleteResponse = unknown

DeviceRevokeResponse = unknown

Zero TrustDevicesResilience

Zero TrustDevicesResilienceGlobal WARP Override

Retrieve Global WARP override state

client.zeroTrust.devices.resilience.globalWARPOverride.get(, ?): GlobalWARPOverrideGetResponse { disconnect, timestamp } | null

GET/accounts/{account_id}/devices/resilience/disconnect

Set Global WARP override state

client.zeroTrust.devices.resilience.globalWARPOverride.create(, ?): GlobalWARPOverrideCreateResponse { disconnect, timestamp } | null

POST/accounts/{account_id}/devices/resilience/disconnect

ModelsExpand Collapse

GlobalWARPOverrideGetResponse { disconnect, timestamp }

disconnect?: boolean

Disconnects all devices on the account using Global WARP override.

timestamp?: string

When the Global WARP override state was updated.

formatdate-time

GlobalWARPOverrideCreateResponse { disconnect, timestamp }

disconnect?: boolean

Disconnects all devices on the account using Global WARP override.

timestamp?: string

When the Global WARP override state was updated.

formatdate-time

Zero TrustDevicesRegistrations

List registrations

client.zeroTrust.devices.registrations.list(, ?): CursorPagination<RegistrationListResponse { id, created_at, device, 9 more } >

GET/accounts/{account_id}/devices/registrations

Get registration

client.zeroTrust.devices.registrations.get(, , ?): RegistrationGetResponse { id, created_at, device, 9 more }

GET/accounts/{account_id}/devices/registrations/{registration_id}

Delete registration

client.zeroTrust.devices.registrations.delete(, , ?): RegistrationDeleteResponse | null

DELETE/accounts/{account_id}/devices/registrations/{registration_id}

Delete registrations

client.zeroTrust.devices.registrations.bulkDelete(, ?): RegistrationBulkDeleteResponse | null

DELETE/accounts/{account_id}/devices/registrations

Revoke registrations

client.zeroTrust.devices.registrations.revoke(, ?): RegistrationRevokeResponse | null

POST/accounts/{account_id}/devices/registrations/revoke

Unrevoke registrations

client.zeroTrust.devices.registrations.unrevoke(, ?): RegistrationUnrevokeResponse | null

POST/accounts/{account_id}/devices/registrations/unrevoke

ModelsExpand Collapse

RegistrationListResponse { id, created_at, device, 9 more }

A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device.

id: string

The ID of the registration.

created_at: string

The RFC3339 timestamp when the registration was created.

device: Device { id, name, client_version }

Device details embedded inside of a registration.

id: string

The ID of the device.

The name of the device.

client_version?: string

Version of the WARP client.

key: string

The public key used to connect to the Cloudflare network.

last_seen_at: string

The RFC3339 timestamp when the registration was last seen.

updated_at: string

The RFC3339 timestamp when the registration was last updated.

deleted_at?: string | null

The RFC3339 timestamp when the registration was deleted.

key_type?: string | null

The type of encryption key used by the WARP client for the active key. Currently ‘curve25519’ for WireGuard and ‘secp256r1’ for MASQUE.

policy?: Policy { id, default, deleted, 2 more }

The device settings profile assigned to this registration.

id: string

The ID of the device settings profile.

default: boolean

Whether the device settings profile is the default profile for the account.

deleted: boolean

Whether the device settings profile was deleted.

The name of the device settings profile.

updated_at: string

The RFC3339 timestamp of when the device settings profile last changed for the registration.

revoked_at?: string | null

The RFC3339 timestamp when the registration was revoked.

tunnel_type?: string | null

Type of the tunnel - wireguard or masque.

user?: User { id, email, name }

id?: string

UUID.

maxLength36

email?: string

The contact email address of the user.

maxLength90

name?: string

The enrolled device user’s name.

RegistrationGetResponse { id, created_at, device, 9 more }

A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device.

id: string

The ID of the registration.

created_at: string

The RFC3339 timestamp when the registration was created.

device: Device { id, name, client_version }

Device details embedded inside of a registration.

id: string

The ID of the device.

The name of the device.

client_version?: string

Version of the WARP client.

key: string

The public key used to connect to the Cloudflare network.

last_seen_at: string

The RFC3339 timestamp when the registration was last seen.

updated_at: string

The RFC3339 timestamp when the registration was last updated.

deleted_at?: string | null

The RFC3339 timestamp when the registration was deleted.

key_type?: string | null

The type of encryption key used by the WARP client for the active key. Currently ‘curve25519’ for WireGuard and ‘secp256r1’ for MASQUE.

policy?: Policy { id, default, deleted, 2 more }

The device settings profile assigned to this registration.

id: string

The ID of the device settings profile.

default: boolean

Whether the device settings profile is the default profile for the account.

deleted: boolean

Whether the device settings profile was deleted.

The name of the device settings profile.

updated_at: string

The RFC3339 timestamp of when the device settings profile last changed for the registration.

revoked_at?: string | null

The RFC3339 timestamp when the registration was revoked.

tunnel_type?: string | null

Type of the tunnel - wireguard or masque.

user?: User { id, email, name }

id?: string

UUID.

maxLength36

email?: string

The contact email address of the user.

maxLength90

name?: string

The enrolled device user’s name.

RegistrationDeleteResponse = unknown

RegistrationBulkDeleteResponse = unknown

RegistrationRevokeResponse = unknown

RegistrationUnrevokeResponse = unknown

Zero TrustDevicesDEX Tests

List Device DEX tests

client.zeroTrust.devices.dexTests.list(, ?): V4PagePaginationArray<DEXTestListResponse { data, enabled, interval, 5 more } >

GET/accounts/{account_id}/dex/devices/dex_tests

Get Device DEX test

client.zeroTrust.devices.dexTests.get(, , ?): DEXTestGetResponse { data, enabled, interval, 5 more }

GET/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}

Create Device DEX test

client.zeroTrust.devices.dexTests.create(, ?): DEXTestCreateResponse { data, enabled, interval, 5 more }

POST/accounts/{account_id}/dex/devices/dex_tests

Update Device DEX test

client.zeroTrust.devices.dexTests.update(, , ?): DEXTestUpdateResponse { data, enabled, interval, 5 more }

PUT/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}

Delete Device DEX test

client.zeroTrust.devices.dexTests.delete(, , ?): DEXTestDeleteResponse { dex_tests }

DELETE/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}

ModelsExpand Collapse

SchemaData { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host?: string

The desired endpoint to test.

kind?: string

The type of test.

method?: string

The HTTP request method type.

SchemaHTTP { data, enabled, interval, 5 more }

data: SchemaData { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description?: string

Additional details about the test.

target_policies?: Array<TargetPolicy>

Device settings profiles targeted by this test.

id?: string

The id of the device settings profile.

default?: boolean

Whether the profile is the account default.

name?: string

The name of the device settings profile.

targeted?: boolean

test_id?: string

The unique identifier for the test.

maxLength32

DEXTestListResponse { data, enabled, interval, 5 more }

data: Data { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" | "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method?: "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description?: string

Additional details about the test.

target_policies?: Array<TargetPolicy>

DEX rules targeted by this test

id: string

API Resource UUID tag.

maxLength36

default?: boolean

Whether the DEX rule is the account default

name?: string

The name of the DEX rule

targeted?: boolean

test_id?: string

The unique identifier for the test.

maxLength32

DEXTestGetResponse { data, enabled, interval, 5 more }

data: Data { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" | "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method?: "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description?: string

Additional details about the test.

target_policies?: Array<TargetPolicy>

DEX rules targeted by this test

id: string

API Resource UUID tag.

maxLength36

default?: boolean

Whether the DEX rule is the account default

name?: string

The name of the DEX rule

targeted?: boolean

test_id?: string

The unique identifier for the test.

maxLength32

DEXTestCreateResponse { data, enabled, interval, 5 more }

data: Data { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" | "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method?: "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description?: string

Additional details about the test.

target_policies?: Array<TargetPolicy>

DEX rules targeted by this test

id: string

API Resource UUID tag.

maxLength36

default?: boolean

Whether the DEX rule is the account default

name?: string

The name of the DEX rule

targeted?: boolean

test_id?: string

The unique identifier for the test.

maxLength32

DEXTestUpdateResponse { data, enabled, interval, 5 more }

data: Data { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" | "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method?: "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description?: string

Additional details about the test.

target_policies?: Array<TargetPolicy>

DEX rules targeted by this test

id: string

API Resource UUID tag.

maxLength36

default?: boolean

Whether the DEX rule is the account default

name?: string

The name of the DEX rule

targeted?: boolean

test_id?: string

The unique identifier for the test.

maxLength32

DEXTestDeleteResponse { dex_tests }

dex_tests?: Array<DEXTest>

data: Data { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" | "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method?: "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description?: string

Additional details about the test.

target_policies?: Array<TargetPolicy>

DEX rules targeted by this test

id: string

API Resource UUID tag.

maxLength36

default?: boolean

Whether the DEX rule is the account default

name?: string

The name of the DEX rule

targeted?: boolean

test_id?: string

The unique identifier for the test.

maxLength32

Zero TrustDevicesIP Profiles

List IP profiles

client.zeroTrust.devices.ipProfiles.list(, ?): SinglePage<IPProfile { id, created_at, description, 6 more } >

GET/accounts/{account_id}/devices/ip-profiles

Get IP profile

client.zeroTrust.devices.ipProfiles.get(, , ?): IPProfile { id, created_at, description, 6 more }

GET/accounts/{account_id}/devices/ip-profiles/{profile_id}

Create IP profile

client.zeroTrust.devices.ipProfiles.create(, ?): IPProfile { id, created_at, description, 6 more }

POST/accounts/{account_id}/devices/ip-profiles

Update IP profile

client.zeroTrust.devices.ipProfiles.update(, , ?): IPProfile { id, created_at, description, 6 more }

PATCH/accounts/{account_id}/devices/ip-profiles/{profile_id}

Delete IP profile

client.zeroTrust.devices.ipProfiles.delete(, , ?): IPProfileDeleteResponse { id }

DELETE/accounts/{account_id}/devices/ip-profiles/{profile_id}

ModelsExpand Collapse

IPProfile { id, created_at, description, 6 more }

id: string

The ID of the Device IP profile.

created_at: string

The RFC3339Nano timestamp when the Device IP profile was created.

description: string | null

An optional description of the Device IP profile.

enabled: boolean

Whether the Device IP profile is enabled.

match: string

The wirefilter expression to match registrations. Available values: “identity.name”, “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.saml_attributes”.

maxLength10000

A user-friendly name for the Device IP profile.

precedence: number

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

subnet_id: string

The ID of the Subnet.

updated_at: string

The RFC3339Nano timestamp when the Device IP profile was last updated.

IPProfileDeleteResponse { id }

id?: string

ID of the deleted Device IP profile.

Zero TrustDevicesDeployment Groups

List deployment groups

client.zeroTrust.devices.deploymentGroups.list(, ?): V4PagePaginationArray<DeploymentGroup { id, created_at, name, 3 more } >

GET/accounts/{account_id}/devices/deployment-groups

Get deployment group

client.zeroTrust.devices.deploymentGroups.get(, , ?): DeploymentGroup { id, created_at, name, 3 more }

GET/accounts/{account_id}/devices/deployment-groups/{group_id}

Create deployment group

client.zeroTrust.devices.deploymentGroups.create(, ?): DeploymentGroup { id, created_at, name, 3 more }

POST/accounts/{account_id}/devices/deployment-groups

Update deployment group

client.zeroTrust.devices.deploymentGroups.edit(, , ?): DeploymentGroup { id, created_at, name, 3 more }

PATCH/accounts/{account_id}/devices/deployment-groups/{group_id}

Delete deployment group

client.zeroTrust.devices.deploymentGroups.delete(, , ?): DeploymentGroupDeleteResponse { id }

DELETE/accounts/{account_id}/devices/deployment-groups/{group_id}

ModelsExpand Collapse

DeploymentGroup { id, created_at, name, 3 more }

id: string

The ID of the deployment group.

created_at: string

The RFC3339Nano timestamp when the deployment group was created.

A user-friendly name for the deployment group.

maxLength255

minLength1

updated_at: string

The RFC3339Nano timestamp when the deployment group was last updated.

version_config: Array<VersionConfig>

Contains version configurations for different target environments.

target_environment: string | null

The target environment for the client version (e.g., windows, macos).

version: string

The specific client version to deploy.

policy_ids?: Array<string> | null

Contains a list of policy IDs assigned to this deployment group.

DeploymentGroupDeleteResponse { id }

id?: string

The ID of a deleted deployment group.

Zero TrustDevicesNetworks

List your device managed networks

client.zeroTrust.devices.networks.list(, ?): SinglePage<DeviceNetwork { config, name, network_id, type } >

GET/accounts/{account_id}/devices/networks

Get device managed network details

client.zeroTrust.devices.networks.get(, , ?): DeviceNetwork { config, name, network_id, type } | null

GET/accounts/{account_id}/devices/networks/{network_id}

Create a device managed network

client.zeroTrust.devices.networks.create(, ?): DeviceNetwork { config, name, network_id, type } | null

POST/accounts/{account_id}/devices/networks

Update a device managed network

client.zeroTrust.devices.networks.update(, , ?): DeviceNetwork { config, name, network_id, type } | null

PUT/accounts/{account_id}/devices/networks/{network_id}

Delete a device managed network

client.zeroTrust.devices.networks.delete(, , ?): SinglePage<DeviceNetwork { config, name, network_id, type } >

DELETE/accounts/{account_id}/devices/networks/{network_id}

ModelsExpand Collapse

DeviceNetwork { config, name, network_id, type }

config?: Config { tls_sockaddr, sha256 }

The configuration object containing information for the WARP client to detect the managed network.

tls_sockaddr: string

A network address of the form “host:port” that the WARP client will use to detect the presence of a TLS host.

sha256?: string

The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate.

name?: string

The name of the device managed network. This name must be unique.

network_id?: string

API UUID.

maxLength36

type?: "tls"

The type of device managed network.

Zero TrustDevicesFleet Status

Get the live status of a latest device

client.zeroTrust.devices.fleetStatus.get(, , ?): FleetStatusGetResponse { colo, deviceId, mode, 37 more }

GET/accounts/{account_id}/dex/devices/{device_id}/fleet-status/live

ModelsExpand Collapse

FleetStatusGetResponse { colo, deviceId, mode, 37 more }

colo: string

Cloudflare colo

deviceId: string

Device identifier (UUID v4)

mode: string

The mode under which the WARP client is run

platform: string

Operating system

status: string

Network status

timestamp: string

Timestamp in ISO format

version: string

WARP client version

alwaysOn?: boolean | null

batteryCharging?: boolean | null

batteryCycles?: number | null

formatint64

batteryPct?: number | null

formatfloat

connectionType?: string | null

cpuPct?: number | null

formatfloat

cpuPctByApp?: Array<Array<CPUPctByApp>> | null

cpu_pct?: number

formatfloat

name?: string

deviceIpv4?: DeviceIPV4 { address, asn, aso, 3 more }

address?: string | null

asn?: number | null

aso?: string | null

location?: Location { city, country_iso, state_iso, zip }

city?: string | null

country_iso?: string | null

state_iso?: string | null

zip?: string | null

netmask?: string | null

version?: string | null

deviceIpv6?: DeviceIPV6 { address, asn, aso, 3 more }

address?: string | null

asn?: number | null

aso?: string | null

location?: Location { city, country_iso, state_iso, zip }

city?: string | null

country_iso?: string | null

state_iso?: string | null

zip?: string | null

netmask?: string | null

version?: string | null

deviceName?: string

Device identifier (human readable)

DeprecateddeviceRegistration?: string | null

Use `registrationId` instead.

Deprecated: use registrationId. Device registration identifier (UUID v4).

diskReadBps?: number | null

formatint64

diskUsagePct?: number | null

formatfloat

diskWriteBps?: number | null

formatint64

dohSubdomain?: string | null

estimatedLossPct?: number | null

formatfloat

firewallEnabled?: boolean | null

gatewayIpv4?: GatewayIPV4 { address, asn, aso, 3 more }

address?: string | null

asn?: number | null

aso?: string | null

location?: Location { city, country_iso, state_iso, zip }

city?: string | null

country_iso?: string | null

state_iso?: string | null

zip?: string | null

netmask?: string | null

version?: string | null

gatewayIpv6?: GatewayIPV6 { address, asn, aso, 3 more }

address?: string | null

asn?: number | null

aso?: string | null

location?: Location { city, country_iso, state_iso, zip }

city?: string | null

country_iso?: string | null

state_iso?: string | null

zip?: string | null

netmask?: string | null

version?: string | null

handshakeLatencyMs?: number | null

formatint64

ispIpv4?: ISPIPV4 { address, asn, aso, 3 more }

address?: string | null

asn?: number | null

aso?: string | null

location?: Location { city, country_iso, state_iso, zip }

city?: string | null

country_iso?: string | null

state_iso?: string | null

zip?: string | null

netmask?: string | null

version?: string | null

ispIpv6?: ISPIPV6 { address, asn, aso, 3 more }

address?: string | null

asn?: number | null

aso?: string | null

location?: Location { city, country_iso, state_iso, zip }

city?: string | null

country_iso?: string | null

state_iso?: string | null

zip?: string | null

netmask?: string | null

version?: string | null

metal?: string | null

networkRcvdBps?: number | null

formatint64

networkSentBps?: number | null

formatint64

networkSsid?: string | null

personEmail?: string

User contact email address

ramAvailableKb?: number | null

formatint64

ramUsedPct?: number | null

formatfloat

ramUsedPctByApp?: Array<Array<RamUsedPctByApp>> | null

name?: string

ram_used_pct?: number

formatfloat

registrationId?: string | null

Device registration identifier (UUID v4). On multi-user devices, this uniquely identifies a user’s registration on the device.

switchLocked?: boolean | null

wifiStrengthDbm?: number | null

formatint64

Zero TrustDevicesPolicies

ModelsExpand Collapse

DevicePolicyCertificates { enabled }

enabled: boolean

The current status of the device policy certificate provisioning feature for WARP clients.

FallbackDomain { suffix, description, dns_server }

suffix: string

The domain suffix to match when resolving locally.

description?: string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server?: Array<string>

A list of IP addresses to handle domain resolution.

FallbackDomainPolicy = Array<FallbackDomain { suffix, description, dns_server } > | null

suffix: string

The domain suffix to match when resolving locally.

description?: string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server?: Array<string>

A list of IP addresses to handle domain resolution.

SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 26 more }

allow_mode_switch?: boolean

Whether to allow the user to switch WARP between modes.

allow_updates?: boolean

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave?: boolean

Whether to allow devices to leave the organization.

auto_connect?: number

The amount of time in seconds to reconnect after having been disabled.

captive_portal?: number

Turn on the captive portal after the specified amount of time.

default?: boolean

Whether the policy is the default policy for an account.

description?: string

A description of the policy.

maxLength500

disable_auto_fallback?: boolean

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

dns_search_suffixes?: Array<DNSSearchSuffix>

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: string

The DNS search suffix to append when resolving short hostnames.

description?: string

A description of the DNS search suffix.

enabled?: boolean

Whether the policy will be applied to matching devices.

exclude?: Array<SplitTunnelExclude>

List of routes excluded in the WARP client’s tunnel.

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

exclude_office_ips?: boolean

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains?: Array<FallbackDomain { suffix, description, dns_server } >

suffix: string

The domain suffix to match when resolving locally.

description?: string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server?: Array<string>

A list of IP addresses to handle domain resolution.

gateway_unique_id?: string

include?: Array<SplitTunnelInclude>

List of routes included in the WARP client’s tunnel.

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

lan_allow_minutes?: number

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size?: number

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match?: string

The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

maxLength500

name?: string

The name of the device settings profile.

maxLength100

policy_id?: string

maxLength36

precedence?: number

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns?: boolean

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support?: boolean

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2?: ServiceModeV2 { mode, port }

mode?: string

The mode to run the WARP client under.

port?: number

The port number when used with proxy mode.

support_url?: string

The URL to launch when the Send Feedback button is clicked.

switch_locked?: boolean

Whether to allow the user to turn off the WARP switch and disconnect the client.

target_tests?: Array<TargetTest>

id?: string

The id of the DEX test targeting this policy.

name?: string

The name of the DEX test targeting this policy.

tunnel_protocol?: string

Determines which tunnel protocol to use.

virtual_networks?: VirtualNetworks | null

Virtual network access settings for the device.

allowed: Array<string>

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: string

The default virtual network ID. Must be included in the allowed list.

formatuuid

SplitTunnelExclude = TeamsDevicesExcludeSplitTunnelWithAddress { address, description } | TeamsDevicesExcludeSplitTunnelWithHost { host, description }

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

SplitTunnelInclude = TeamsDevicesIncludeSplitTunnelWithAddress { address, description } | TeamsDevicesIncludeSplitTunnelWithHost { host, description }

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

Zero TrustDevicesPoliciesDefault

Get the default device settings profile

client.zeroTrust.devices.policies.default.get(, ?): DefaultGetResponse { allow_mode_switch, allow_updates, allowed_to_leave, 19 more } | null

GET/accounts/{account_id}/devices/policy

Update the default device settings profile

client.zeroTrust.devices.policies.default.edit(, ?): DefaultEditResponse { allow_mode_switch, allow_updates, allowed_to_leave, 19 more } | null

PATCH/accounts/{account_id}/devices/policy

ModelsExpand Collapse

DefaultGetResponse { allow_mode_switch, allow_updates, allowed_to_leave, 19 more }

allow_mode_switch?: boolean

Whether to allow the user to switch WARP between modes.

allow_updates?: boolean

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave?: boolean

Whether to allow devices to leave the organization.

auto_connect?: number

The amount of time in seconds to reconnect after having been disabled.

captive_portal?: number

Turn on the captive portal after the specified amount of time.

default?: boolean

Whether the policy will be applied to matching devices.

disable_auto_fallback?: boolean

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

dns_search_suffixes?: Array<DNSSearchSuffix>

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: string

The DNS search suffix to append when resolving short hostnames.

description?: string

A description of the DNS search suffix.

enabled?: boolean

Whether the policy will be applied to matching devices.

exclude?: Array<SplitTunnelExclude>

List of routes excluded in the WARP client’s tunnel.

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

exclude_office_ips?: boolean

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains?: Array<FallbackDomain { suffix, description, dns_server } >

suffix: string

The domain suffix to match when resolving locally.

description?: string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server?: Array<string>

A list of IP addresses to handle domain resolution.

gateway_unique_id?: string

include?: Array<SplitTunnelInclude>

List of routes included in the WARP client’s tunnel.

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

policy_id?: string

maxLength36

register_interface_ip_with_dns?: boolean

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support?: boolean

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2?: ServiceModeV2 { mode, port }

mode?: string

The mode to run the WARP client under.

port?: number

The port number when used with proxy mode.

support_url?: string

The URL to launch when the Send Feedback button is clicked.

switch_locked?: boolean

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol?: string

Determines which tunnel protocol to use.

virtual_networks?: VirtualNetworks | null

Virtual network access settings for the device.

allowed: Array<string>

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: string

The default virtual network ID. Must be included in the allowed list.

formatuuid

DefaultEditResponse { allow_mode_switch, allow_updates, allowed_to_leave, 19 more }

allow_mode_switch?: boolean

Whether to allow the user to switch WARP between modes.

allow_updates?: boolean

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave?: boolean

Whether to allow devices to leave the organization.

auto_connect?: number

The amount of time in seconds to reconnect after having been disabled.

captive_portal?: number

Turn on the captive portal after the specified amount of time.

default?: boolean

Whether the policy will be applied to matching devices.

disable_auto_fallback?: boolean

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

dns_search_suffixes?: Array<DNSSearchSuffix>

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: string

The DNS search suffix to append when resolving short hostnames.

description?: string

A description of the DNS search suffix.

enabled?: boolean

Whether the policy will be applied to matching devices.

exclude?: Array<SplitTunnelExclude>

List of routes excluded in the WARP client’s tunnel.

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

exclude_office_ips?: boolean

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains?: Array<FallbackDomain { suffix, description, dns_server } >

suffix: string

The domain suffix to match when resolving locally.

description?: string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server?: Array<string>

A list of IP addresses to handle domain resolution.

gateway_unique_id?: string

include?: Array<SplitTunnelInclude>

List of routes included in the WARP client’s tunnel.

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

policy_id?: string

maxLength36

register_interface_ip_with_dns?: boolean

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support?: boolean

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2?: ServiceModeV2 { mode, port }

mode?: string

The mode to run the WARP client under.

port?: number

The port number when used with proxy mode.

support_url?: string

The URL to launch when the Send Feedback button is clicked.

switch_locked?: boolean

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol?: string

Determines which tunnel protocol to use.

virtual_networks?: VirtualNetworks | null

Virtual network access settings for the device.

allowed: Array<string>

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: string

The default virtual network ID. Must be included in the allowed list.

formatuuid

Zero TrustDevicesPoliciesDefaultExcludes

Get the Split Tunnel exclude list

client.zeroTrust.devices.policies.default.excludes.get(, ?): SinglePage<SplitTunnelExclude>

GET/accounts/{account_id}/devices/policy/exclude

Set the Split Tunnel exclude list

client.zeroTrust.devices.policies.default.excludes.update(, ?): SinglePage<SplitTunnelExclude>

PUT/accounts/{account_id}/devices/policy/exclude

Zero TrustDevicesPoliciesDefaultIncludes

Get the Split Tunnel include list

client.zeroTrust.devices.policies.default.includes.get(, ?): SinglePage<SplitTunnelInclude>

GET/accounts/{account_id}/devices/policy/include

Set the Split Tunnel include list

client.zeroTrust.devices.policies.default.includes.update(, ?): SinglePage<SplitTunnelInclude>

PUT/accounts/{account_id}/devices/policy/include

Zero TrustDevicesPoliciesDefaultFallback Domains

Get your Local Domain Fallback list

client.zeroTrust.devices.policies.default.fallbackDomains.get(, ?): SinglePage<FallbackDomain { suffix, description, dns_server } >

GET/accounts/{account_id}/devices/policy/fallback_domains

Set your Local Domain Fallback list

client.zeroTrust.devices.policies.default.fallbackDomains.update(, ?): SinglePage<FallbackDomain { suffix, description, dns_server } >

PUT/accounts/{account_id}/devices/policy/fallback_domains

Zero TrustDevicesPoliciesDefaultCertificates

Get device certificate provisioning status

client.zeroTrust.devices.policies.default.certificates.get(, ?): DevicePolicyCertificates { enabled } | null

GET/zones/{zone_id}/devices/policy/certificates

Update device certificate provisioning status

client.zeroTrust.devices.policies.default.certificates.edit(, ?): DevicePolicyCertificates { enabled } | null

PATCH/zones/{zone_id}/devices/policy/certificates

Zero TrustDevicesPoliciesCustom

List device settings profiles

client.zeroTrust.devices.policies.custom.list(, ?): SinglePage<SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 26 more } >

GET/accounts/{account_id}/devices/policies

Get device settings profile by ID

client.zeroTrust.devices.policies.custom.get(, , ?): SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 26 more } | null

GET/accounts/{account_id}/devices/policy/{policy_id}

Create a device settings profile

client.zeroTrust.devices.policies.custom.create(, ?): SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 26 more } | null

POST/accounts/{account_id}/devices/policy

Update a device settings profile

client.zeroTrust.devices.policies.custom.edit(, , ?): SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 26 more } | null

PATCH/accounts/{account_id}/devices/policy/{policy_id}

Delete a device settings profile

client.zeroTrust.devices.policies.custom.delete(, , ?): SinglePage<SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 26 more } >

DELETE/accounts/{account_id}/devices/policy/{policy_id}

Zero TrustDevicesPoliciesCustomExcludes

Get the Split Tunnel exclude list for a device settings profile

client.zeroTrust.devices.policies.custom.excludes.get(, , ?): SinglePage<SplitTunnelExclude>

GET/accounts/{account_id}/devices/policy/{policy_id}/exclude

Set the Split Tunnel exclude list for a device settings profile

client.zeroTrust.devices.policies.custom.excludes.update(, , ?): SinglePage<SplitTunnelExclude>

PUT/accounts/{account_id}/devices/policy/{policy_id}/exclude

Zero TrustDevicesPoliciesCustomIncludes

Get the Split Tunnel include list for a device settings profile

client.zeroTrust.devices.policies.custom.includes.get(, , ?): SinglePage<SplitTunnelInclude>

GET/accounts/{account_id}/devices/policy/{policy_id}/include

Set the Split Tunnel include list for a device settings profile

client.zeroTrust.devices.policies.custom.includes.update(, , ?): SinglePage<SplitTunnelInclude>

PUT/accounts/{account_id}/devices/policy/{policy_id}/include

Zero TrustDevicesPoliciesCustomFallback Domains

Get the Local Domain Fallback list for a device settings profile

client.zeroTrust.devices.policies.custom.fallbackDomains.get(, , ?): SinglePage<FallbackDomain { suffix, description, dns_server } >

GET/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains

Set the Local Domain Fallback list for a device settings profile

client.zeroTrust.devices.policies.custom.fallbackDomains.update(, , ?): SinglePage<FallbackDomain { suffix, description, dns_server } >

PUT/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains

Zero TrustDevicesPosture

List device posture rules

client.zeroTrust.devices.posture.list(, ?): SinglePage<DevicePostureRule { id, description, expiration, 5 more } >

GET/accounts/{account_id}/devices/posture

Get device posture rule details

client.zeroTrust.devices.posture.get(, , ?): DevicePostureRule { id, description, expiration, 5 more } | null

GET/accounts/{account_id}/devices/posture/{rule_id}

Create a device posture rule

client.zeroTrust.devices.posture.create(, ?): DevicePostureRule { id, description, expiration, 5 more } | null

POST/accounts/{account_id}/devices/posture

Update a device posture rule

client.zeroTrust.devices.posture.update(, , ?): DevicePostureRule { id, description, expiration, 5 more } | null

PUT/accounts/{account_id}/devices/posture/{rule_id}

Delete a device posture rule

client.zeroTrust.devices.posture.delete(, , ?): PostureDeleteResponse { id } | null

DELETE/accounts/{account_id}/devices/posture/{rule_id}

ModelsExpand Collapse

CarbonblackInput = string

ClientCertificateInput { certificate_id, cn }

certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36

cn: string

Common Name that is protected by the certificate.

CrowdstrikeInput { connection_id, last_seen, operator, 6 more }

connection_id: string

Posture Integration ID.

last_seen?: string

For more details on last seen, please refer to the Crowdstrike documentation.

operator?: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

os?: string

Os Version.

overall?: string

Overall.

sensor_config?: string

SensorConfig.

state?: "online" | "offline" | "unknown"

For more details on state, please refer to the Crowdstrike documentation.

One of the following:

"online"

"offline"

"unknown"

version?: string

Version.

versionOperator?: "<" | "<=" | ">" | 2 more

Version Operator.

One of the following:

"<"

"<="

">"

">="

"=="

DeviceInput = FileInput { operating_system, path, exists, 2 more } | UniqueClientIDInput { id, operating_system } | DomainJoinedInput { operating_system, domain } | 17 more

The value to be checked against.

One of the following:

FileInput { operating_system, path, exists, 2 more }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

exists?: boolean

Whether or not file exists.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

UniqueClientIDInput { id, operating_system }

id: string

List ID.

operating_system: "android" | "ios" | "chromeos"

Operating System.

One of the following:

"android"

"ios"

"chromeos"

DomainJoinedInput { operating_system, domain }

operating_system: "windows"

Operating System.

domain?: string

Domain.

OSVersionInput { operating_system, operator, version, 3 more }

operating_system: "windows"

Operating System.

operator: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

version: string

Version of OS.

os_distro_name?: string

Operating System Distribution Name (linux only).

os_distro_revision?: string

Version of OS Distribution (linux only).

os_version_extra?: string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

FirewallInput { enabled, operating_system }

enabled: boolean

Enabled.

operating_system: "windows" | "mac"

Operating System.

One of the following:

"windows"

"mac"

SentineloneInput { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

TeamsDevicesAccessSerialNumberListInputRequest { id }

id: string

UUID of Access List.

maxLength36

DiskEncryptionInput { checkDisks, requireAll }

checkDisks?: Array<CarbonblackInput>

List of volume names to be checked for encryption.

requireAll?: boolean

Whether to check all disks for encryption.

TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

Path for the application.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

ClientCertificateInput { certificate_id, cn }

certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36

cn: string

Common Name that is protected by the certificate.

TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }

certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36

check_private_key: boolean

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

cn?: string

Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables.

extended_key_usage?: Array<"clientAuth" | "emailProtection">

List of values indicating purposes for which the certificate public key can be used.

One of the following:

"clientAuth"

"emailProtection"

locations?: Locations { paths, trust_stores }

paths?: Array<string>

List of paths to check for client certificate on linux.

trust_stores?: Array<"system" | "user">

List of trust stores to check for client certificate.

One of the following:

"system"

"user"

subject_alternative_names?: Array<string>

List of certificate Subject Alternative Names.

TeamsDevicesAntivirusInputRequest { update_window_days }

update_window_days?: number

Number of days that the antivirus should be updated within.

WorkspaceOneInput { compliance_status, connection_id }

compliance_status: "compliant" | "noncompliant" | "unknown"

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

connection_id: string

Posture Integration ID.

CrowdstrikeInput { connection_id, last_seen, operator, 6 more }

connection_id: string

Posture Integration ID.

last_seen?: string

For more details on last seen, please refer to the Crowdstrike documentation.

operator?: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

os?: string

Os Version.

overall?: string

Overall.

sensor_config?: string

SensorConfig.

state?: "online" | "offline" | "unknown"

For more details on state, please refer to the Crowdstrike documentation.

One of the following:

"online"

"offline"

"unknown"

version?: string

Version.

versionOperator?: "<" | "<=" | ">" | 2 more

Version Operator.

One of the following:

"<"

"<="

">"

">="

"=="

IntuneInput { compliance_status, connection_id }

compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

"notapplicable"

"ingraceperiod"

"error"

connection_id: string

Posture Integration ID.

KolideInput { connection_id, auth_state, countOperator, issue_count }

connection_id: string

Posture Integration ID.

auth_state?: Array<"Good" | "Notified" | "Will Block" | "Blocked">

The set of Kolide device authentication states that pass the posture check. Device must match one of the specified states.

One of the following:

"Good"

"Notified"

"Will Block"

"Blocked"

countOperator?: "<" | "<=" | ">" | 2 more

Count Operator.

One of the following:

"<"

"<="

">"

">="

"=="

issue_count?: string

The Number of Issues.

TaniumInput { connection_id, eid_last_seen, operator, 3 more }

connection_id: string

Posture Integration ID.

eid_last_seen?: string

For more details on eid last seen, refer to the Tanium documentation.

operator?: "<" | "<=" | ">" | 2 more

Operator to evaluate risk_level or eid_last_seen.

One of the following:

"<"

"<="

">"

">="

"=="

risk_level?: "low" | "medium" | "high" | "critical"

For more details on risk level, refer to the Tanium documentation.

One of the following:

"low"

"medium"

"high"

"critical"

scoreOperator?: "<" | "<=" | ">" | 2 more

Score Operator.

One of the following:

"<"

"<="

">"

">="

"=="

total_score?: number

For more details on total score, refer to the Tanium documentation.

SentineloneS2sInput { connection_id, active_threats, infected, 4 more }

connection_id: string

Posture Integration ID.

active_threats?: number

The Number of active threats.

infected?: boolean

Whether device is infected.

is_active?: boolean

Whether device is active.

network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"

Network status of device.

One of the following:

"connected"

"disconnected"

"disconnecting"

"connecting"

operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more

Agent operational state.

One of the following:

"na"

"partially_disabled"

"auto_fully_disabled"

"fully_disabled"

"auto_partially_disabled"

"disabled_error"

"db_corruption"

operator?: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }

connection_id: string

Posture Integration ID.

operator: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

score: number

A value between 0-100 assigned to devices set by the 3rd party posture provider.

DeviceMatch { platform }

platform?: "windows" | "mac" | "linux" | 3 more

One of the following:

"windows"

"mac"

"linux"

"android"

"ios"

"chromeos"

DevicePostureRule { id, description, expiration, 5 more }

id?: string

API UUID.

maxLength36

description?: string

The description of the device posture rule.

expiration?: string

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

input?: DeviceInput

The value to be checked against.

match?: Array<DeviceMatch { platform } >

The conditions that the client must match to run the rule.

platform?: "windows" | "mac" | "linux" | 3 more

One of the following:

"windows"

"mac"

"linux"

"android"

"ios"

"chromeos"

name?: string

The name of the device posture rule.

schedule?: string

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

type?: "file" | "application" | "tanium" | 20 more

The type of device posture rule.

One of the following:

"file"

"application"

"tanium"

"gateway"

"warp"

"disk_encryption"

"serial_number"

"sentinelone"

"carbonblack"

"firewall"

"os_version"

"domain_joined"

"client_certificate"

"client_certificate_v2"

"antivirus"

"unique_client_id"

"kolide"

"tanium_s2s"

"crowdstrike_s2s"

"intune"

"workspace_one"

"sentinelone_s2s"

"custom_s2s"

DiskEncryptionInput { checkDisks, requireAll }

checkDisks?: Array<CarbonblackInput>

List of volume names to be checked for encryption.

requireAll?: boolean

Whether to check all disks for encryption.

DomainJoinedInput { operating_system, domain }

operating_system: "windows"

Operating System.

domain?: string

Domain.

FileInput { operating_system, path, exists, 2 more }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

exists?: boolean

Whether or not file exists.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

FirewallInput { enabled, operating_system }

enabled: boolean

Enabled.

operating_system: "windows" | "mac"

Operating System.

One of the following:

"windows"

"mac"

IntuneInput { compliance_status, connection_id }

compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

"notapplicable"

"ingraceperiod"

"error"

connection_id: string

Posture Integration ID.

KolideInput { connection_id, auth_state, countOperator, issue_count }

connection_id: string

Posture Integration ID.

auth_state?: Array<"Good" | "Notified" | "Will Block" | "Blocked">

The set of Kolide device authentication states that pass the posture check. Device must match one of the specified states.

One of the following:

"Good"

"Notified"

"Will Block"

"Blocked"

countOperator?: "<" | "<=" | ">" | 2 more

Count Operator.

One of the following:

"<"

"<="

">"

">="

"=="

issue_count?: string

The Number of Issues.

OSVersionInput { operating_system, operator, version, 3 more }

operating_system: "windows"

Operating System.

operator: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

version: string

Version of OS.

os_distro_name?: string

Operating System Distribution Name (linux only).

os_distro_revision?: string

Version of OS Distribution (linux only).

os_version_extra?: string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

SentineloneInput { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

SentineloneS2sInput { connection_id, active_threats, infected, 4 more }

connection_id: string

Posture Integration ID.

active_threats?: number

The Number of active threats.

infected?: boolean

Whether device is infected.

is_active?: boolean

Whether device is active.

network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"

Network status of device.

One of the following:

"connected"

"disconnected"

"disconnecting"

"connecting"

operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more

Agent operational state.

One of the following:

"na"

"partially_disabled"

"auto_fully_disabled"

"fully_disabled"

"auto_partially_disabled"

"disabled_error"

"db_corruption"

operator?: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

TaniumInput { connection_id, eid_last_seen, operator, 3 more }

connection_id: string

Posture Integration ID.

eid_last_seen?: string

For more details on eid last seen, refer to the Tanium documentation.

operator?: "<" | "<=" | ">" | 2 more

Operator to evaluate risk_level or eid_last_seen.

One of the following:

"<"

"<="

">"

">="

"=="

risk_level?: "low" | "medium" | "high" | "critical"

For more details on risk level, refer to the Tanium documentation.

One of the following:

"low"

"medium"

"high"

"critical"

scoreOperator?: "<" | "<=" | ">" | 2 more

Score Operator.

One of the following:

"<"

"<="

">"

">="

"=="

total_score?: number

For more details on total score, refer to the Tanium documentation.

UniqueClientIDInput { id, operating_system }

id: string

List ID.

operating_system: "android" | "ios" | "chromeos"

Operating System.

One of the following:

"android"

"ios"

"chromeos"

WorkspaceOneInput { compliance_status, connection_id }

compliance_status: "compliant" | "noncompliant" | "unknown"

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

connection_id: string

Posture Integration ID.

PostureDeleteResponse { id }

id?: string

API UUID.

maxLength36

Zero TrustDevicesPostureIntegrations

List your device posture integrations

client.zeroTrust.devices.posture.integrations.list(, ?): SinglePage<Integration { id, config, interval, 2 more } >

GET/accounts/{account_id}/devices/posture/integration

Get device posture integration details

client.zeroTrust.devices.posture.integrations.get(, , ?): Integration { id, config, interval, 2 more } | null

GET/accounts/{account_id}/devices/posture/integration/{integration_id}

Create a device posture integration

client.zeroTrust.devices.posture.integrations.create(, ?): Integration { id, config, interval, 2 more } | null

POST/accounts/{account_id}/devices/posture/integration

Update a device posture integration

client.zeroTrust.devices.posture.integrations.edit(, , ?): Integration { id, config, interval, 2 more } | null

PATCH/accounts/{account_id}/devices/posture/integration/{integration_id}

Delete a device posture integration

client.zeroTrust.devices.posture.integrations.delete(, , ?): IntegrationDeleteResponse | null

DELETE/accounts/{account_id}/devices/posture/integration/{integration_id}

ModelsExpand Collapse

Integration { id, config, interval, 2 more }

id?: string

API UUID.

maxLength36

config?: Config { api_url, auth_url, client_id }

The configuration object containing third-party integration information.

api_url: string

The Workspace One API URL provided in the Workspace One Admin Dashboard.

auth_url: string

The Workspace One Authorization URL depending on your region.

client_id: string

The Workspace One client ID provided in the Workspace One Admin Dashboard.

interval?: string

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

name?: string

The name of the device posture integration.

type?: "workspace_one" | "crowdstrike_s2s" | "uptycs" | 5 more

The type of device posture integration.

One of the following:

"workspace_one"

"crowdstrike_s2s"

"uptycs"

"intune"

"kolide"

"tanium_s2s"

"sentinelone_s2s"

"custom_s2s"

IntegrationDeleteResponse = unknown | string | null

One of the following:

unknown

string

Zero TrustDevicesRevoke

Revoke devices (deprecated)

Deprecated

client.zeroTrust.devices.revoke.create(, ?): RevokeCreateResponse | null

POST/accounts/{account_id}/devices/revoke

ModelsExpand Collapse

RevokeCreateResponse = unknown | string | null

One of the following:

unknown

string

Zero TrustDevicesSettings

Get device settings for a Zero Trust account

client.zeroTrust.devices.settings.get(, ?): DeviceSettings { disable_for_time, external_emergency_signal_enabled, external_emergency_signal_fingerprint, 6 more } | null

GET/accounts/{account_id}/devices/settings

Update device settings for a Zero Trust account

client.zeroTrust.devices.settings.update(, ?): DeviceSettings { disable_for_time, external_emergency_signal_enabled, external_emergency_signal_fingerprint, 6 more } | null

PUT/accounts/{account_id}/devices/settings

Patch device settings for a Zero Trust account

client.zeroTrust.devices.settings.edit(, ?): DeviceSettings { disable_for_time, external_emergency_signal_enabled, external_emergency_signal_fingerprint, 6 more } | null

PATCH/accounts/{account_id}/devices/settings

Reset device settings for a Zero Trust account with defaults. This turns off all proxying.

client.zeroTrust.devices.settings.delete(, ?): DeviceSettings { disable_for_time, external_emergency_signal_enabled, external_emergency_signal_fingerprint, 6 more } | null

DELETE/accounts/{account_id}/devices/settings

ModelsExpand Collapse

DeviceSettings { disable_for_time, external_emergency_signal_enabled, external_emergency_signal_fingerprint, 6 more }

disable_for_time?: number

Sets the time limit, in seconds, that a user can use an override code to bypass WARP.

external_emergency_signal_enabled?: boolean

Controls whether the external emergency disconnect feature is enabled.

external_emergency_signal_fingerprint?: string

The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server’s identity. The device will ignore any response if the server’s certificate fingerprint does not exactly match this value.

external_emergency_signal_interval?: string

The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., “5m”, “2m30s”, “1h”). Minimum 30 seconds.

external_emergency_signal_url?: string

The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host.

gateway_proxy_enabled?: boolean

Enable gateway proxy filtering on TCP.

gateway_udp_proxy_enabled?: boolean

Enable gateway proxy filtering on UDP.

root_certificate_installation_enabled?: boolean

Enable installation of cloudflare managed root certificate.

use_zt_virtual_ip?: boolean

Enable using CGNAT virtual IPv4.

Zero TrustDevicesUnrevoke

Unrevoke devices (deprecated)

Deprecated

client.zeroTrust.devices.unrevoke.create(, ?): UnrevokeCreateResponse | null

POST/accounts/{account_id}/devices/unrevoke

ModelsExpand Collapse

UnrevokeCreateResponse = unknown | string | null

One of the following:

unknown

string

Zero TrustDevicesOverride Codes

Get override codes (deprecated)

Deprecated

client.zeroTrust.devices.overrideCodes.list(, , ?): SinglePage<OverrideCodeListResponse>

GET/accounts/{account_id}/devices/{device_id}/override_codes

Get override codes

client.zeroTrust.devices.overrideCodes.get(, , ?): OverrideCodeGetResponse { disable_for_time }

GET/accounts/{account_id}/devices/registrations/{registration_id}/override_codes

ModelsExpand Collapse

OverrideCodeListResponse = unknown

OverrideCodeGetResponse { disable_for_time }

disable_for_time?: Record<string, string>

Zero TrustIdentity Providers

List Access identity providers

client.zeroTrust.identityProviders.list(?, ?): V4PagePaginationArray<IdentityProviderListResponse>

GET/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers

Get an Access identity provider

client.zeroTrust.identityProviders.get(, ?, ?): IdentityProvider

GET/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

Add an Access identity provider

client.zeroTrust.identityProviders.create(, ?): IdentityProvider

POST/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers

Update an Access identity provider

client.zeroTrust.identityProviders.update(, , ?): IdentityProvider

PUT/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

Delete an Access identity provider

client.zeroTrust.identityProviders.delete(, ?, ?): IdentityProviderDeleteResponse { id }

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

ModelsExpand Collapse

AzureAD { config, name, type, 5 more }

config: Config { claims, client_id, client_secret, 5 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

conditional_access_enabled?: boolean

Should Cloudflare try to load authentication contexts from your account

directory_id?: string

Your Azure directory uuid

email_claim_name?: string

The claim name for email in the id_token response.

prompt?: "login" | "select_account" | "none"

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn’t presented with any interactive prompt. If the request can’t be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

One of the following:

"login"

"select_account"

"none"

support_groups?: boolean

Should Cloudflare try to load groups from your account

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

GenericOAuthConfig { client_id, client_secret }

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

IdentityProvider = AzureAD { config, name, type, 5 more } | AccessCentrify { config, name, type, 5 more } | AccessFacebook { config, name, type, 5 more } | 12 more

One of the following:

AzureAD { config, name, type, 5 more }

config: Config { claims, client_id, client_secret, 5 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

conditional_access_enabled?: boolean

Should Cloudflare try to load authentication contexts from your account

directory_id?: string

Your Azure directory uuid

email_claim_name?: string

The claim name for email in the id_token response.

prompt?: "login" | "select_account" | "none"

One of the following:

"login"

"select_account"

"none"

support_groups?: boolean

Should Cloudflare try to load groups from your account

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessCentrify { config, name, type, 5 more }

config: Config { centrify_account, centrify_app_id, claims, 3 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

centrify_account?: string

Your centrify account url

centrify_app_id?: string

Your centrify app id

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessFacebook { config, name, type, 5 more }

config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessGitHub { config, name, type, 5 more }

config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessGoogle { config, name, type, 5 more }

config: Config { claims, client_id, client_secret, email_claim_name }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessGoogleApps { config, name, type, 5 more }

config: Config { apps_domain, claims, client_id, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

apps_domain?: string

Your companies TLD

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessLinkedin { config, name, type, 5 more }

config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessOIDC { config, name, type, 5 more }

config: Config { auth_url, certs_url, claims, 6 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

auth_url?: string

The authorization_endpoint URL of your IdP

certs_url?: string

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

pkce_enabled?: boolean

Enable Proof Key for Code Exchange (PKCE)

scopes?: Array<string>

OAuth scopes

token_url?: string

The token_endpoint URL of your IdP

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessOkta { config, name, type, 5 more }

config: Config { authorization_server_id, claims, client_id, 3 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

authorization_server_id?: string

Your okta authorization server id

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

okta_account?: string

Your okta account url

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessOnelogin { config, name, type, 5 more }

config: Config { claims, client_id, client_secret, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

onelogin_account?: string

Your OneLogin account url

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessPingone { config, name, type, 5 more }

config: Config { claims, client_id, client_secret, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

ping_env_id?: string

Your PingOne environment identifier

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessSAML { config, name, type, 5 more }

config: Config { attributes, email_attribute_name, enable_encryption, 5 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

attributes?: Array<string>

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name?: string

The attribute name for email in the SAML response.

enable_encryption?: boolean

Enable SAML assertion encryption. When enabled, the Identity Provider will encrypt SAML assertions using the certificate from the assigned certificate set.

To enable encryption:

Create a certificate set via POST to /identity_providers/{id}/saml_certificate
Set this field to true and include saml_certificate_set_id in the PUT request
Configure the public certificate in your external Identity Provider

Note: Requires saml_certificate_set_id to be set when true.

header_attributes?: Array<HeaderAttribute>

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name?: string

attribute name from the IDP

header_name?: string

header that will be added on the request to the origin

idp_public_certs?: Array<string>

X509 certificate to verify the signature in the SAML authentication response

issuer_url?: string

IdP Entity ID or Issuer URL

sign_request?: boolean

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url?: string

URL to send the SAML authentication requests to

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessYandex { config, name, type, 5 more }

config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessOnetimepin { config, name, type, 5 more }

config: Config { redirect_url }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

redirect_url?: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessCloudflare { config, name, type, 5 more }

config: Config { redirect_url, restrict_to_account_members }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

redirect_url?: string

restrict_to_account_members?: boolean

When enabled, only users who are members of your Cloudflare account can authenticate through this identity provider. When disabled, any user with a Cloudflare account can authenticate, subject to your Access policies.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url?: string

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

IdentityProviderType = "onetimepin" | "azureAD" | "saml" | 12 more

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

IdentityProviderListResponse = AzureAD { config, name, type, 5 more } | AccessCentrify { config, name, type, 5 more } | AccessFacebook { config, name, type, 5 more } | 12 more

One of the following:

AzureAD { config, name, type, 5 more }

config: Config { claims, client_id, client_secret, 5 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

conditional_access_enabled?: boolean

Should Cloudflare try to load authentication contexts from your account

directory_id?: string

Your Azure directory uuid

email_claim_name?: string

The claim name for email in the id_token response.

prompt?: "login" | "select_account" | "none"

One of the following:

"login"

"select_account"

"none"

support_groups?: boolean

Should Cloudflare try to load groups from your account

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessCentrify { config, name, type, 5 more }

config: Config { centrify_account, centrify_app_id, claims, 3 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

centrify_account?: string

Your centrify account url

centrify_app_id?: string

Your centrify app id

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid

updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid

previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id?: string

formatuuid

scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessFacebook { config, name, type, 5 more }

config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id?: string

UUID.

maxLength36

read_only?: boolean

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set?: SAMLCertificateSet { created_at, uid, updated_at, 2 more }

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: string

Timestamp when the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

formatuuid